Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 14 May 2016 09:55:43 -0400 (EDT)
Subject: Re: dosfstools / fsck.vfat: Several invalid memory accesses

Hash: SHA256

These reports are about command-line programs that realistically
encounter untrusted input. However, says
"dosfstools consists of the programs mkfs.fat, fsck.fat and fatlabel
to create, check and label file systems of the FAT family." It does
not state that dosfstools provides a library that can be used to build
other programs that a user may want. In particular, there does not
seem to be a use case in which a provided program needs to remain
running to process additional filesystems after encountering an
invalid filesystem.

> Global out of bounds read file_stat() / check_dir()
> Git commit / fix

As far as we can tell, this one is not a vulnerability in the
above-described context. It seems to be an out-of-bounds read that
doesn't affect the flow of control.

> Unclear invalid memory access in get_fat()
> Git commit / fix
> that was a nasty one: FAT12 corruption when a certain FAT entry at the
> end is changed.
> set_fat(): Fix off-by-2 error leading to corruption in FAT12
> If the third to last entry was written on a FAT12 filesystem with an
> odd number of clusters, the second to last entry would be corrupted.
> This corruption may also lead to invalid memory accesses when the
> corrupted entry becomes out of bounds and is used later.

Use CVE-2015-8872.

> Heap overflow in read_fat()
> Heap out of bounds read in get_fat()
> Git commit / fix for both issues
> it's a failure to properly catch a zero length FAT in read_fat() and
> continuing with that and the other corrupt values
> read_boot(): Handle excessive FAT size specifications
> The variable used for storing the FAT size (in bytes) was an unsigned
> int. Since the size in sectors read from the BPB was not sufficiently
> checked, this could end up being zero after multiplying it with the
> sector size while some offsets still stayed excessive. Ultimately it
> would cause segfaults when accessing FAT entries for which no memory
> was allocated.

Use CVE-2016-4804 (this applies to both issues/25 and issues/26, even
though the impact in 25 is a heap-based buffer overflow with write
access, and the impact in 26 is a heap-based buffer over-read).

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.