Date: Fri, 19 Aug 2011 23:28:31 +0800 From: Eugene Teo <eugene@...hat.com> To: oss-security@...ts.openwall.com CC: Timo Warns <warns@...-sense.de> Subject: Re: CVE request: Linux: ZERO_SIZE_PTR dereference for long symlinks in Be FS On 08/19/2011 03:18 PM, Timo Warns wrote: > The Linux kernel contains a vulnerability in the driver for Be file > systems that may lead to a kernel oops via a corrupted Be file system. > > In fs/befs/linuxvfs.c, befs_follow_link() reads a length attribute for > a long symlink from a data stream of a Be file system. > > befs_data_stream *data = &befs_ino->i_data.ds; > befs_off_t len = data->size; > > The data->size / len value is not validated and can be 0 on a corrupted > file system. > > befs_follow_link() allocates some memory based on len. Effectively, > kmalloc returns ZERO_SIZE_PTR in this case. > > link = kmalloc(len, GFP_NOFS); > > Subsequently, an assignment dereferences ZERO_SIZE_PTR causing a kernel > oops: > > link[len - 1] = '\0'; > > A patch is available at > http://git.kernel.org/linus/338d0f0a6fbc82407864606f5b64b75aeb3c70f2 Please use CVE-2011-2928. Eugene
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.