lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230819075337.3270182-1-harshit.m.mogalapalli@oracle.com>
Date:   Sat, 19 Aug 2023 00:53:37 -0700
From:   Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
To:     stable@...r.kernel.org
Cc:     vegard.nossum@...cle.com, Namjae Jeon <linkinjeon@...nel.org>,
        Yuezhang Mo <Yuezhang.Mo@...y.com>,
        Maxim Suhanov <dfirblog@...il.com>,
        Sungjong Seo <sj1557.seo@...sung.com>,
        Sasha Levin <sashal@...nel.org>,
        Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH 5.15.y] exfat: check if filename entries exceeds max filename length

From: Namjae Jeon <linkinjeon@...nel.org>

[ Upstream commit d42334578eba1390859012ebb91e1e556d51db49 ]

exfat_extract_uni_name copies characters from a given file name entry into
the 'uniname' variable. This variable is actually defined on the stack of
the exfat_readdir() function. According to the definition of
the 'exfat_uni_name' type, the file name should be limited 255 characters
(+ null teminator space), but the exfat_get_uniname_from_ext_entry()
function can write more characters because there is no check if filename
entries exceeds max filename length. This patch add the check not to copy
filename characters when exceeding max filename length.

Cc: stable@...r.kernel.org
Cc: Yuezhang Mo <Yuezhang.Mo@...y.com>
Reported-by: Maxim Suhanov <dfirblog@...il.com>
Reviewed-by: Sungjong Seo <sj1557.seo@...sung.com>
Signed-off-by: Namjae Jeon <linkinjeon@...nel.org>
Signed-off-by: Sasha Levin <sashal@...nel.org>
[Harshit: backport to 5.15.y]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
---
The conflict resolved patch for 6.1.y applies cleanly to 5.15.y as
well.
Note: This fix is already present in 5.10.y but missing in 5.15.y
---
 fs/exfat/dir.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/fs/exfat/dir.c b/fs/exfat/dir.c
index 8475a8653c3a..f6dd4fc8eaf4 100644
--- a/fs/exfat/dir.c
+++ b/fs/exfat/dir.c
@@ -34,6 +34,7 @@ static void exfat_get_uniname_from_ext_entry(struct super_block *sb,
 {
 	int i;
 	struct exfat_entry_set_cache *es;
+	unsigned int uni_len = 0, len;
 
 	es = exfat_get_dentry_set(sb, p_dir, entry, ES_ALL_ENTRIES);
 	if (!es)
@@ -52,7 +53,10 @@ static void exfat_get_uniname_from_ext_entry(struct super_block *sb,
 		if (exfat_get_entry_type(ep) != TYPE_EXTEND)
 			break;
 
-		exfat_extract_uni_name(ep, uniname);
+		len = exfat_extract_uni_name(ep, uniname);
+		uni_len += len;
+		if (len != EXFAT_FILE_NAME_LEN || uni_len >= MAX_NAME_LENGTH)
+			break;
 		uniname += EXFAT_FILE_NAME_LEN;
 	}
 
@@ -1032,7 +1036,8 @@ int exfat_find_dir_entry(struct super_block *sb, struct exfat_inode_info *ei,
 			if (entry_type == TYPE_EXTEND) {
 				unsigned short entry_uniname[16], unichar;
 
-				if (step != DIRENT_STEP_NAME) {
+				if (step != DIRENT_STEP_NAME ||
+				    name_len >= MAX_NAME_LENGTH) {
 					step = DIRENT_STEP_FILE;
 					continue;
 				}
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ