Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4E4E0E35.60609@pre-sense.de>
Date: Fri, 19 Aug 2011 09:18:13 +0200
From: Timo Warns <warns@...-sense.de>
To: oss-security@...ts.openwall.com
Subject: CVE request: Linux: ZERO_SIZE_PTR dereference for long symlinks in
 Be FS

The Linux kernel contains a vulnerability in the driver for Be file
systems that may lead to a kernel oops via a corrupted Be file system.

In fs/befs/linuxvfs.c, befs_follow_link() reads a length attribute for
a long symlink from a data stream of a Be file system.

    befs_data_stream *data = &befs_ino->i_data.ds;
    befs_off_t len = data->size;

The data->size / len value is not validated and can be 0 on a corrupted
file system.

befs_follow_link() allocates some memory based on len. Effectively,
kmalloc returns ZERO_SIZE_PTR in this case.

        link = kmalloc(len, GFP_NOFS);

Subsequently, an assignment dereferences ZERO_SIZE_PTR causing a kernel
oops:

			link[len - 1] = '\0';

A patch is available at
http://git.kernel.org/linus/338d0f0a6fbc82407864606f5b64b75aeb3c70f2

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.