| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4196827.3PtsAkI51k@blindfold>
Date: Fri, 05 Oct 2018 18:24:42 +0200
From: Richard Weinberger <richard@....at>
To: Sasha Levin <sashal@...nel.org>
Cc: stable@...r.kernel.org, linux-kernel@...r.kernel.org,
Sasha Levin <alexander.levin@...rosoft.com>
Subject: Re: [PATCH AUTOSEL 3.18 6/6] ubifs: Check for name being NULL while mounting
Sasha,
Am Freitag, 5. Oktober 2018, 18:17:50 CEST schrieb Sasha Levin:
> From: Richard Weinberger <richard@....at>
>
> [ Upstream commit 37f31b6ca4311b94d985fb398a72e5399ad57925 ]
>
> The requested device name can be NULL or an empty string.
> Check for that and refuse to continue. UBIFS has to do this manually
> since we cannot use mount_bdev(), which checks for this condition.
>
> Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
> Reported-by: syzbot+38bd0f7865e5c6379280@...kaller.appspotmail.com
> Signed-off-by: Richard Weinberger <richard@....at>
> Signed-off-by: Sasha Levin <alexander.levin@...rosoft.com>
I'm not sure whether it makes sense to apply this patch to stable.
1. You need to be the real root to hit this code path.
2. Access is read-only, for an attacker it is useless.
If we look at the code:
if (name[0] != 'u' || name[1] != 'b' || name[2] != 'i')
return ERR_PTR(-EINVAL);
/* ubi:NAME method */
if ((name[3] == ':' || name[3] == '!') && name[4] != '\0')
name can be NULL, so we access just a few bytes.
Thanks,
//richard
Powered by blists - more mailing lists