| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240517094147.87133-1-mengferry@linux.alibaba.com> Date: Fri, 17 May 2024 17:41:45 +0800 From: Ferry Meng <mengferry@...ux.alibaba.com> To: Mark Fasheh <mark@...heh.com>, Joel Becker <jlbec@...lplan.org>, Joseph Qi <joseph.qi@...ux.alibaba.com>, ocfs2-devel@...ts.linux.dev Cc: linux-kernel@...r.kernel.org, Ferry Meng <mengferry@...ux.alibaba.com> Subject: [PATCH v2 0/2] ocfs2: add checks in ocfs2_xattr_find_entry() to avoid potential out-of-bound access. Hi, all: This patch series attempts to address a scenario where accessing user-defined xattrs in a carefully crafted image can lead to out-of-bound access.(To speak truthfully, I do not think this vehavior would occur under proper usage.) In my testing environment, I constructed an OCFS2 image, created a file with several user-defined xattrs(long name attributes, this will cause a "Non-INLINE" xattr, which requires additional space for storage), and then forcibly modified the xe_name_offset using a binary editing tool (e.g "hexedit"). Upon remounting the image and running 'getfattr -d /path/to/file', this patchset was able to detect "partial" malicious modification. In v2, I make these changes: - (1/2) use xs->end directly, no need to parse a parameter. - (2/2) define a local var 'name_offset'. Ferry Meng (2): ocfs2: add bounds checking to ocfs2_xattr_find_entry() ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() fs/ocfs2/xattr.c | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) -- 2.32.0.3.g01195cf9f
Powered by blists - more mailing lists