lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20111109190802.GA4540@ounaide>
Date:	Wed, 9 Nov 2011 20:08:48 +0100
From:	Clement LECIGNE <clemun@...il.com>
To:	linux-kernel@...r.kernel.org
Subject: [BUG][SECURITY] Kernel stack overflow in hfs_mac2asc()

Hi lkml,

I have found there is no len nor bound checkings in hfs_mac2asc()
function against the size of the out buffer passed as parameter.
The src size can be greater than HFS_MAX_NAMELEN on malformed file
system. HFS_MAX_NAMELEN is 31 whereas src size can be set up to
255 (unsigned char).

This can lead to a basic kernel stack overflow with user controlled
data through for example hfs_readdir() which calls hfs_mac2asc() with
out buffer "allocated" on the stack.

This overflow can be simply fixed by adding bound checks on srclen
before doing the copy.

Best regards,

-- 
Clément LECIGNE,
"In Python, how do you create a string of random characters? Read a Perl
file!"
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ