Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 May 2016 10:28:37 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: CVE Request: Linux: information leak in Rock Ridge Extensions to
 iso9660 -- fs/isofs/rock.c

Hi

The following commit in Linux v4.6 addresses an information leak
caused by not properly handling NM entries containing NUL. Quoting the
commit message:

> Subject: get_rock_ridge_filename(): handle malformed NM entries
> 
> Payloads of NM entries are not supposed to contain NUL.  When we run
> into such, only the part prior to the first NUL goes into the
> concatenation (i.e. the directory entry name being encoded by a bunch
> of NM entries).  We do stop when the amount collected so far + the
> claimed amount in the current NM entry exceed 254.  So far, so good,
> but what we return as the total length is the sum of *claimed*
> sizes, not the actual amount collected.  And that can grow pretty
> large - not unlimited, since you'd need to put CE entries in
> between to be able to get more than the maximum that could be
> contained in one isofs directory entry / continuation chunk and
> we are stop once we'd encountered 32 CEs, but you can get about 8Kb
> easily.  And that's what will be passed to readdir callback as the
> name length.  8Kb __copy_to_user() from a buffer allocated by
> __get_free_page()
> 
> Cc: stable@...r.kernel.org # 0.98pl6+ (yes, really)
> Signed-off-by: Al Viro <viro@...iv.linux.org.uk>

Upstream commit: https://git.kernel.org/linus/99d825822eade8d827a1817357cbf3f889a552d6 (v4.6)

Can you please assign a CVE for this issue?

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ