oss-security - Re: CVE request: Linux: ZERO_SIZE_PTR dereference for long symlinks in Be FS

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Fri, 19 Aug 2011 23:28:31 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: Timo Warns <warns@...-sense.de>
Subject: Re: CVE request: Linux: ZERO_SIZE_PTR dereference
 for long symlinks in Be FS

On 08/19/2011 03:18 PM, Timo Warns wrote:
> The Linux kernel contains a vulnerability in the driver for Be file
> systems that may lead to a kernel oops via a corrupted Be file system.
> 
> In fs/befs/linuxvfs.c, befs_follow_link() reads a length attribute for
> a long symlink from a data stream of a Be file system.
> 
>     befs_data_stream *data = &befs_ino->i_data.ds;
>     befs_off_t len = data->size;
> 
> The data->size / len value is not validated and can be 0 on a corrupted
> file system.
> 
> befs_follow_link() allocates some memory based on len. Effectively,
> kmalloc returns ZERO_SIZE_PTR in this case.
> 
>         link = kmalloc(len, GFP_NOFS);
> 
> Subsequently, an assignment dereferences ZERO_SIZE_PTR causing a kernel
> oops:
> 
> 			link[len - 1] = '\0';
> 
> A patch is available at
> http://git.kernel.org/linus/338d0f0a6fbc82407864606f5b64b75aeb3c70f2

Please use CVE-2011-2928.

Eugene

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.