| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20230206162206.845488-1-VEfanov@ispras.ru>
Date: Mon, 6 Feb 2023 19:22:06 +0300
From: Vladislav Efanov <VEfanov@...ras.ru>
To: Jan Kara <jack@...e.com>
Cc: Vladislav Efanov <VEfanov@...ras.ru>, linux-kernel@...r.kernel.org,
lvc-project@...uxtesting.org
Subject: [PATCH] udf: KASAN: slab-out-of-bounds in udf_readdir
The KASAN report is:
[ 1922.586560] BUG: KASAN: slab-out-of-bounds in udf_readdir+0xe00/0x19e0
[ 1922.586922] Write of size 89 at addr ffff888000cd9ea6 by task rm/18493
udf_readdir() tries to write file name out of allocated memory
buffer bounds. The UDF_NAME_LEN_CS0 (255) is used as max length
for file name in udf_put_filename(). But UDF_NAME_LEN (254) is
used as the size for buffer allocation in udf_readdir(). As the
result out-of-bounds write happened.
Found by Linux Verification Center (linuxtesting.org) with xfstests
Fixes: 066b9cded00b ("udf: Use separate buffer for copying split names")
Signed-off-by: Vladislav Efanov <VEfanov@...ras.ru>
---
fs/udf/dir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/udf/dir.c b/fs/udf/dir.c
index be640f4b2f2c..b95607c42ad4 100644
--- a/fs/udf/dir.c
+++ b/fs/udf/dir.c
@@ -169,7 +169,7 @@ static int udf_readdir(struct file *file, struct dir_context *ctx)
nameptr = (char *)(fibh.ebh->b_data + poffset - lfi);
} else {
if (!copy_name) {
- copy_name = kmalloc(UDF_NAME_LEN,
+ copy_name = kmalloc(UDF_NAME_LEN_CS0,
GFP_NOFS);
if (!copy_name) {
ret = -ENOMEM;
--
2.34.1
Powered by blists - more mailing lists