lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <9f8f65c1-5644-42c9-b16f-e0eedbb70a66@sandeen.net>
Date: Wed, 16 Apr 2025 10:10:15 -0500
From: Eric Sandeen <sandeen@...deen.net>
To: Richard Weinberger <richard.weinberger@...il.com>,
 "Darrick J. Wong" <djwong@...nel.org>
Cc: Christian Brauner <brauner@...nel.org>,
 Cengiz Can <cengiz.can@...onical.com>,
 Attila Szasz <szasza.contact@...il.com>, Greg KH
 <gregkh@...uxfoundation.org>, Salvatore Bonaccorso <carnil@...ian.org>,
 linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
 lvc-patches@...uxtesting.org, dutyrok@...linux.org,
 syzbot+5f3a973ed3dfb85a6683@...kaller.appspotmail.com,
 stable@...r.kernel.org, Alexander Viro <viro@...iv.linux.org.uk>
Subject: Re: [PATCH] hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key

On 4/8/25 5:11 AM, Richard Weinberger wrote:
> On Mon, Apr 7, 2025 at 9:08 PM Darrick J. Wong <djwong@...nel.org> wrote:
>> It's also the default policy on Debian 12 and RHEL9 that if you're
>> logged into the GUI, any program can run:
>>
>> $ truncate -s 3g /tmp/a
>> $ mkfs.hfs /tmp/a
>> $ <write evil stuff on /tmp/a>
>> $ udisksctl loop-setup -f /tmp/a
>> $ udisksctl mount -b /dev/loopX
>>
>> and the user never sees a prompt.  GNOME and KDE both display a
>> notification when the mount finishes, but by then it could be too late.
>> Someone should file a CVE against them too.
> 
> At least on SUSE orphaned and other problematic filesystem kernel modules
> are blacklisted. I wonder why other distros didn't follow this approach.

To be clear, RHEL9 ships a very limited set of filesystems, and as a result
does not ship any of these oddball/orphaned filesystems.

While I agree w/ Darrick that the silent automounter is a risk in general,
even for well-maintained filesystems, for distros like RHEL the attack surface
is much more limited because the most problematic filesystems aren't available.

Not saying it solves the problem completely, just saying it's not as egregious
as it might look from the original example.

Thanks,
-Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ