CVE-2022-50581

Summary

In the Linux kernel, the following vulnerability has been resolved:

hfs: fix OOB Read in __hfs_brec_find

Syzbot reported a OOB read bug:

================================================================== BUG: KASAN: slab-out-of-bounds in hfs_strcmp+0x117/0x190 fs/hfs/string.c:84 Read of size 1 at addr ffff88807eb62c4e by task kworker/u4:1/11 CPU: 1 PID: 11 Comm: kworker/u4:1 Not tainted 6.1.0-rc6-syzkaller-00308-g644e9524388a #0 Workqueue: writeback wb_workfn (flush-7:0) Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:284 print_report+0x107/0x1f0 mm/kasan/report.c:395 kasan_report+0xcd/0x100 mm/kasan/report.c:495 hfs_strcmp+0x117/0x190 fs/hfs/string.c:84 __hfs_brec_find+0x213/0x5c0 fs/hfs/bfind.c:75 hfs_brec_find+0x276/0x520 fs/hfs/bfind.c:138 hfs_write_inode+0x34c/0xb40 fs/hfs/inode.c:462 write_inode fs/fs-writeback.c:1440 [inline]

If the input inode of hfs_write_inode() is incorrect: struct inode struct hfs_inode_info struct hfs_cat_key struct hfs_name u8 len # len is greater than HFS_NAMELEN(31) which is the maximum length of an HFS filename

OOB read occurred: hfs_write_inode() hfs_brec_find() __hfs_brec_find() hfs_cat_keycmp() hfs_strcmp() # OOB read occurred due to len is too large

Fix this by adding a Check on len in hfs_write_inode() before calling hfs_brec_find().

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 8c40f2dbae603ef0bd21e87c63f54ec59fd88256affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < c886c10a6eddb99923b315f42bf63f448883ef9aaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2344f17c0a89c181ab1a9fef57fd8c3bddfd6e30affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 90103ccb6e60aa4efe48993d23d6a528472f2233affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 4fd3a11804c8877ff11fec59c5c53f1635331e3eaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 367296925c7625c3969d2a78d7a3e1dee161beb5affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < e9e692917c6e10a7066c7a6d092dcdc3d4e329f3affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < bfc9d8f27f89717431a6aecce42ae230b437433faffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 8d824e69d9f3fa3121b2dda25053bae71e2460d2affected
LinuxLinux2.6.12affected
LinuxLinux0 < 2.6.12unaffected
LinuxLinux4.9.337 <= 4.9.*unaffected
LinuxLinux4.14.303 <= 4.14.*unaffected
LinuxLinux4.19.270 <= 4.19.*unaffected
LinuxLinux5.4.229 <= 5.4.*unaffected
LinuxLinux5.10.163 <= 5.10.*unaffected
LinuxLinux5.15.86 <= 5.15.*unaffected
LinuxLinux6.0.16 <= 6.0.*unaffected
LinuxLinux6.1.2 <= 6.1.*unaffected
LinuxLinux6.2 <= *unaffected

Weaknesses

References