| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Feb 2018 19:27:59 +0000 From: "Hornseth, Brenan [USA]" <Hornseth_Brenan@....com> To: "linux-ext4@...R.KERNEL.ORG" <linux-ext4@...R.KERNEL.ORG> Subject: Buffer overflow in e2fsprog's fsck utility Hopefully this is the correct place to report this; I recently found a buffer overflow bug in the "fsck" command-line utility on an old version of the tool. Today I checked out the e2fsprogs master and compiled it on my x86-64 ubuntu 16.04 machine and confirmed the bug still exists. I have been able to produce the bug on multiple machines with a command-line like: fsck -t AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /dev/sda Which results in a message: "*** buffer overflow detected ***: fsck terminated" I believe the bug stems from fsck.c, execute() line 448. Relevant code follows: 438 char *s, *argv[80], prog[80]; 439 int argc, i; 440 struct fsck_instance *inst, *p; 441 pid_t pid; 442 443 inst = malloc(sizeof(struct fsck_instance)); 444 if (!inst) 445 return ENOMEM; 446 memset(inst, 0, sizeof(struct fsck_instance)); 447 448 sprintf(prog, "fsck.%s", type); Note that the sprintf() call does no bounds checking of the "type" argument and that "prog" is only 80 bytes in size. Please let me know if you need anything else or would prefer a patch (and what format is preferred). Thanks, Brenan
Powered by blists - more mailing lists