* [BUG][SECURITY] Kernel stack overflow in hfs_mac2asc()
@ 2011-11-09 19:08 Clement LECIGNE
0 siblings, 0 replies; only message in thread
From: Clement LECIGNE @ 2011-11-09 19:08 UTC (permalink / raw)
To: linux-kernel
Hi lkml,
I have found there is no len nor bound checkings in hfs_mac2asc()
function against the size of the out buffer passed as parameter.
The src size can be greater than HFS_MAX_NAMELEN on malformed file
system. HFS_MAX_NAMELEN is 31 whereas src size can be set up to
255 (unsigned char).
This can lead to a basic kernel stack overflow with user controlled
data through for example hfs_readdir() which calls hfs_mac2asc() with
out buffer "allocated" on the stack.
This overflow can be simply fixed by adding bound checks on srclen
before doing the copy.
Best regards,
--
Clément LECIGNE,
"In Python, how do you create a string of random characters? Read a Perl
file!"
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2011-11-09 19:08 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-09 19:08 [BUG][SECURITY] Kernel stack overflow in hfs_mac2asc() Clement LECIGNE
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox