oss-sec mailing list archives

Re: CVE request: Linux kernel: Buffer overflow in HFS plus filesystem

From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 07 May 2012 09:56:08 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/07/2012 02:44 AM, Timo Warns wrote:

The Linux kernel (at least 3.x <= 3.3.4 and 2.6.x <= 2.6.35.13)
contains a vulnerability in the driver for HFS plus file systems
that may be exploited for code execution or privilege escalation.

A specially-crafted HFS plus filesystem can cause a buffer overflow
via the memcpy() call of hfs_bnode_read() (in fs/hfsplus/bnode.c).
The functions

hfsplus_rename_cat() (in fs/hfsplus/catalog.c) and 
hfsplus_readdir() (in fs/hfsplus/dir.c)

call hfs_bnode_read() with values that result in a memcpy() call
with a fixed-length destination buffer and both, a source buffer
and length, that are read from the filesystem without sufficient
validation.

The buffer overflows were previously fixed in the HFS filesystem
driver and have been assigned CVE-2009-4020 (commit 
ec81aecb29668ad71f699f4e7b96ec46691895b6 [1]). Commit
6f24f892871acc47b40dd594c63606a17c714f77 ("hfsplus: fix a potential
buffer overflow") [2] also fixes the issue in the HFS plus 
filesystem driver.

[1]
http://git.kernel.org/linus/ec81aecb29668ad71f699f4e7b96ec46691895b6

[2] http://git.kernel.org/linus/6f24f892871acc47b40dd594c63606a17c714f77

Please use CVE-2012-2319 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPp/CYAAoJEBYNRVNeJnmT1YQQANJylNvJD3TWpJVeAFltrFpV
hxYSPq03/99qJS+aCOre56JoVZL0GvpTik3iCsfngjZJxawS7ntaEelTqN2BJofG
tupyQayC4pCMfhTf+y6BA+7nMbf8pDBDbxjLE3Khdwj7xx29uI0KpzErTUsaNAEA
NFsh8Od1UGnAYsvGRDoVAQgMu4J1X9Ld99jGzpsYv8G7BkMMRPQ27rNRP6nzEzLl
rz/FfSA40zo8uJjw5JJ+V+Jx6siGlUdrITx+lwV3M8LbkbckneKZLdiCtOSWlE//
kN/VPuT174dD8iBew6Zm1rsiGafqX5vZ4lUrg+sPvlpEi3gIEZAIx5uyFYgL0NFR
fVuckfOlfg4COpNj0zq8dswW1sA5vgbdSLPCrtRTrM8A2IaA26LNOGC1afd8E++3
8soJfNVuempwwuHalv0h5rPh2Cju4NpjhbUKStYPK+9TYKBjMItYsmgFpEcslX6u
HZB01YPeHjc3/E2crvF/ksT1/Q3p7Kc53Bkf5QI/y23KcDh7degsnowpe9FD99oQ
qQpZOleNiEFlkDnCb6KXRzsrObAQg1dU136qUQKc/CfSR7tmYz8jtIOYHNx7NIvN
KfD/zJnNebHReJoRgt+7zRxiQp9er5lgiUo7xU1Yg/3JyUZr/d66Zo5sSyllX2VN
rwWSOFDG8DhBlCFLcfVM
=XY4f
-----END PGP SIGNATURE-----

Current thread:

CVE request: Linux kernel: Buffer overflow in HFS plus filesystem Timo Warns (May 07)
- Re: CVE request: Linux kernel: Buffer overflow in HFS plus filesystem Kurt Seifried (May 07)