oss-sec mailing list archives
Re: dosfstools / fsck.vfat: Several invalid memory accesses
From: cve-assign () mitre org
Date: Sat, 14 May 2016 09:55:43 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 These reports are about command-line programs that realistically encounter untrusted input. However, https://github.com/dosfstools/dosfstools/blob/master/README.md says "dosfstools consists of the programs mkfs.fat, fsck.fat and fatlabel to create, check and label file systems of the FAT family." It does not state that dosfstools provides a library that can be used to build other programs that a user may want. In particular, there does not seem to be a use case in which a provided program needs to remain running to process additional filesystems after encountering an invalid filesystem.
https://github.com/dosfstools/dosfstools/issues/11 Global out of bounds read file_stat() / check_dir() https://github.com/dosfstools/dosfstools/commit/2aad1c83c7d010de36afbe79c9fde22c50aa2f74 Git commit / fix
As far as we can tell, this one is not a vulnerability in the above-described context. It seems to be an out-of-bounds read that doesn't affect the flow of control.
https://github.com/dosfstools/dosfstools/issues/12 Unclear invalid memory access in get_fat() https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7 Git commit / fix that was a nasty one: FAT12 corruption when a certain FAT entry at the end is changed. set_fat(): Fix off-by-2 error leading to corruption in FAT12 If the third to last entry was written on a FAT12 filesystem with an odd number of clusters, the second to last entry would be corrupted. This corruption may also lead to invalid memory accesses when the corrupted entry becomes out of bounds and is used later.
Use CVE-2015-8872.
https://github.com/dosfstools/dosfstools/issues/25 Heap overflow in read_fat() https://github.com/dosfstools/dosfstools/issues/26 Heap out of bounds read in get_fat() https://github.com/dosfstools/dosfstools/commit/e8eff147e9da1185f9afd5b25948153a3b97cf52 Git commit / fix for both issues it's a failure to properly catch a zero length FAT in read_fat() and continuing with that and the other corrupt values read_boot(): Handle excessive FAT size specifications The variable used for storing the FAT size (in bytes) was an unsigned int. Since the size in sectors read from the BPB was not sufficiently checked, this could end up being zero after multiplying it with the sector size while some offsets still stayed excessive. Ultimately it would cause segfaults when accessing FAT entries for which no memory was allocated.
Use CVE-2016-4804 (this applies to both issues/25 and issues/26, even though the impact in 25 is a heap-based buffer overflow with write access, and the impact in 26 is a heap-based buffer over-read). - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXNy15AAoJEHb/MwWLVhi25VEP/iMdL0X84Xo9ysSMP9D0hxZz 1v3OtKF16jmGPpKBiC++PHoBN533jVi+K7epBhkvHC2ycKTsHHK6ImmWCguRU2C5 w+rpoqEHMsqmiCf9M/XjutMHvgCdsFbNf4pe4dkJBt5oAK+oqThzUZ2kFK1Jvs0U HBDQHs9XKWIMals6N+FyF1TanIX2dUtchaky+Ba92piL3rdN95vs1/Mt1C6l+7bw ZUt8uqIZMNOCgr5Cq1gMvc16VFYOi8ZYWol1FBq0kFpxzjsOn8dpeJ4lxn+JKyyp hpAKUBPAgv+OWogtq+LsklD9qoGuaBKClrZiVL6qbr9YYA9NBabXuMqJJghGHUTy omKQsTOE+SuQXLLiV/gKs0bCUkWbK7yScSRUG2lEb1qtbWqHByZTq/FHTC2Kc5IY n0VUEayp2IFwfny11pM+D1O6VeWBFRvZNgc849VHNSo5KbTo1z9aFQSmld38t5sW DOzg6IvV86P+jP/OzCv7uDbJG6aSDoy8fELv4xisCp4cFq+K+9aLUqWj9HrPr+on 3AEntSjDmvrEMvmNxY6I7ayan2AphcEGblUNnuu+2k0KnOEKjS1oIcCXSbnS8F0J NGI1jYf+Y5LPMX6aLmJEazyU0fXtNJx6BAKhmaGNzTBXpZdhD9nkw88puLQKMBv2 TZGsWop91NEPNGjtPSRa =tWe9 -----END PGP SIGNATURE-----
Current thread:
- dosfstools / fsck.vfat: Several invalid memory accesses Hanno Böck (May 08)
- Re: dosfstools / fsck.vfat: Several invalid memory accesses cve-assign (May 14)