CVE-2022-50747
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfs: Fix OOB Write in hfs_asc2mac
Syzbot reported a OOB Write bug:
loop0: detected capacity change from 0 to 64
BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 Write of size 1 at addr ffff88801848314e by task syz-executor391/3632
Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:284 print_report+0x107/0x1f0 mm/kasan/report.c:395 kasan_report+0xcd/0x100 mm/kasan/report.c:495 hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28 hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31 lookup_open fs/namei.c:3391 [inline] open_last_lookups fs/namei.c:3481 [inline] path_openat+0x10e6/0x2df0 fs/namei.c:3710 do_filp_open+0x264/0x4f0 fs/namei.c:3740
If in->len is much larger than HFS_NAMELEN(31) which is the maximum length of an HFS filename, a OOB write could occur in hfs_asc2mac(). In that case, when the dst reaches the boundary, the srclen is still greater than 0, which causes a OOB write. Fix this by adding a check on dstlen in while() before writing to dst address.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 328b9227865026268261a24a97a578907b280415 < 8399318b13dc9e0569dee07ba2994098926d4fb2 | affected |
| Linux | Linux | 328b9227865026268261a24a97a578907b280415 < 95040de81c629cd8d3c6ab5b50a8bd5088068303 | affected |
| Linux | Linux | 328b9227865026268261a24a97a578907b280415 < ba8f0ca386dd15acf5a93cbac932392c7818eab4 | affected |
| Linux | Linux | 328b9227865026268261a24a97a578907b280415 < 6a95b17e4d4cd2d8278559f930b447f8c9c8cff9 | affected |
| Linux | Linux | 328b9227865026268261a24a97a578907b280415 < cff9fefdfbf5744afbb6d70bff2b49ec2065d23d | affected |
| Linux | Linux | 328b9227865026268261a24a97a578907b280415 < 7af9cb8cbb81308ce4b06cc7164267faccbf75dd | affected |
| Linux | Linux | 328b9227865026268261a24a97a578907b280415 < ae21b03f904736eb2aa9bd119d2a14e741f1681f | affected |
| Linux | Linux | 328b9227865026268261a24a97a578907b280415 < 88579c158e026860c61c4192531e8bc42f4bc642 | affected |
| Linux | Linux | 328b9227865026268261a24a97a578907b280415 < c53ed55cb275344086e32a7080a6b19cb183650b | affected |
| Linux | Linux | 2.6.14 | affected |
| Linux | Linux | 0 < 2.6.14 | unaffected |
| Linux | Linux | 4.9.337 <= 4.9.* | unaffected |
| Linux | Linux | 4.14.303 <= 4.14.* | unaffected |
| Linux | Linux | 4.19.270 <= 4.19.* | unaffected |
| Linux | Linux | 5.4.229 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.163 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.86 <= 5.15.* | unaffected |
| Linux | Linux | 6.0.16 <= 6.0.* | unaffected |
| Linux | Linux | 6.1.2 <= 6.1.* | unaffected |
| Linux | Linux | 6.2 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/8399318b13dc9e0569dee07ba2994098926d4fb2
- https://git.kernel.org/stable/c/95040de81c629cd8d3c6ab5b50a8bd5088068303
- https://git.kernel.org/stable/c/ba8f0ca386dd15acf5a93cbac932392c7818eab4
- https://git.kernel.org/stable/c/6a95b17e4d4cd2d8278559f930b447f8c9c8cff9
- https://git.kernel.org/stable/c/cff9fefdfbf5744afbb6d70bff2b49ec2065d23d
- https://git.kernel.org/stable/c/7af9cb8cbb81308ce4b06cc7164267faccbf75dd
- https://git.kernel.org/stable/c/ae21b03f904736eb2aa9bd119d2a14e741f1681f
- https://git.kernel.org/stable/c/88579c158e026860c61c4192531e8bc42f4bc642
- https://git.kernel.org/stable/c/c53ed55cb275344086e32a7080a6b19cb183650b
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.