| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <bug-200401-13602-in3Cr9NIML@https.bugzilla.kernel.org/>
Date: Mon, 30 Jul 2018 04:37:18 +0000
From: bugzilla-daemon@...zilla.kernel.org
To: linux-ext4@...nel.org
Subject: [Bug 200401] Another buffer overrun in ext4_xattr_set_entry() when
operating a corrupted ext4 image
https://bugzilla.kernel.org/show_bug.cgi?id=200401
Theodore Tso (tytso@....edu) changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tytso@....edu
--- Comment #2 from Theodore Tso (tytso@....edu) ---
Here's an even simpler repro:
# mkdir mnt
# mount -t ext4 final.img mnt
# touch mnt/foo
<crash>
This is another case of "we're trying to expand the inode's extra i_size".
Interestingly, e2fsck does *not* report the file system as corrupted. The
abnormality of the file system is found here:
% debugfs /tmp/poc-200401.img
debugfs 1.44.3 (10-July-2018)
debugfs: idump -x foo
magic = ea020000, length = 96, value_start =4
offset = 4 (0004), name_len = 4, name_index = 7
value_offset = 0 (0004), value_inum = 0, value_size = 0
name = data
offset = 24 (0030), name_len = 30, name_index = 0
value_offset = 0 (0004), value_inum = 0, value_size = 0
name = ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
last entry found at offset 72 (0110)
The problem is that name_len is 30, but the name contains a NUL character,
which the xattr code is not expecting, and fails to handle correctly. The
simple fix is to add the sanity check, and refuse to deal with an xattr entry
with an embedded NUL in the name.
--
You are receiving this mail because:
You are watching the assignee of the bug.
Powered by blists - more mailing lists