Date: Fri, 19 Aug 2011 09:18:13 +0200 From: Timo Warns <warns@...-sense.de> To: oss-security@...ts.openwall.com Subject: CVE request: Linux: ZERO_SIZE_PTR dereference for long symlinks in Be FS The Linux kernel contains a vulnerability in the driver for Be file systems that may lead to a kernel oops via a corrupted Be file system. In fs/befs/linuxvfs.c, befs_follow_link() reads a length attribute for a long symlink from a data stream of a Be file system. befs_data_stream *data = &befs_ino->i_data.ds; befs_off_t len = data->size; The data->size / len value is not validated and can be 0 on a corrupted file system. befs_follow_link() allocates some memory based on len. Effectively, kmalloc returns ZERO_SIZE_PTR in this case. link = kmalloc(len, GFP_NOFS); Subsequently, an assignment dereferences ZERO_SIZE_PTR causing a kernel oops: link[len - 1] = '\0'; A patch is available at http://git.kernel.org/linus/338d0f0a6fbc82407864606f5b64b75aeb3c70f2
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.