lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <fc291720-bba7-4799-b451-ae7c84e6697c@ispras.ru>
Date: Tue, 8 Apr 2025 16:38:36 +0300
From: Artem Sadovnikov <a.sadovnikov@...ras.ru>
To: Jan Kara <jack@...e.cz>
Cc: linux-ext4@...r.kernel.org, Theodore Ts'o <tytso@....edu>,
 Andreas Dilger <adilger.kernel@...ger.ca>, Eric Sandeen
 <sandeen@...hat.com>, linux-kernel@...r.kernel.org,
 lvc-project@...uxtesting.org, stable@...r.kernel.org
Subject: Re: [PATCH] ext4: fix off-by-one error in do_split

On 07.04.2025 16:02, Jan Kara wrote:
> Thanks for debugging this! The fix looks good, but I'm still failing to see
> the use-after-free / end-of-buffer issue. If we wrongly split to two parts
> count/2 each, then dx_move_dirents() and dx_pack_dirents() seem to still
> work correctly. Just they will make too small amount of space in bh but
> still at least one dir entry gets moved? Following add_dirent_to_buf() is
> more likely to fail due to ENOSPC but still I don't see the buffer overrun
> issue? Can you please tell me what I'm missing? Thanks!

add_dirent_to_buf() only checks for available space if its de parameter is NULL, but make_indexed_dir() provides a non-NULL de, so that space check is skipped entirely. add_dirent_to_buf() then calls ext4_insert_dentry() which will write a filename that's potentially larger than entry size and will cause an out-of-bounds write.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ