| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Aug 2018 14:37:45 +0000 From: bugzilla-daemon@...zilla.kernel.org To: linux-ext4@...nel.org Subject: [Bug 200933] Divide zero in __ext4_check_dir_entry https://bugzilla.kernel.org/show_bug.cgi?id=200933 --- Comment #3 from Theodore Tso (tytso@....edu) --- Patch to fix this: http://patchwork.ozlabs.org/patch/962516/ Note: I will probably be retitling and rewriting the patch description, because on further reflection, it's not possible for this to become a buffer overrun attack. That's because we are checking to make sure the inline directory does not exceed the bounds of the inline data xattr. The size == 0 is coming from the "end of xattr list" marker in the xattr data structure. That has to be there, or we would have declared the xattr data structure to be corrupt before we even tried to parse the inline directory. So the only way the attacker can manifest a problem is by causing the divide by zero in __ext4_check_dir_entry(). So for CVE scoring purposes, this is just a denial of service attack (triggering a kernel divide by zero trap, which doesn't kill the kernel per se, but which leaves various locks and refcounts held, which will eventually cause the system to become wedged). It is not a buffer overrun. -- You are receiving this mail because: You are watching the assignee of the bug.
Powered by blists - more mailing lists