svn commit: r298664 - head/sys/fs/msdosfs
Kristof Provost
kp at FreeBSD.org
Tue Apr 26 21:05:49 UTC 2016
> On 26 Apr 2016, at 23:01, Shawn Webb <shawn.webb at hardenedbsd.org> wrote:
>
> On Tue, Apr 26, 2016 at 08:36:32PM +0000, Kristof Provost wrote:
>> Author: kp
>> Date: Tue Apr 26 20:36:32 2016
>> New Revision: 298664
>> URL: https://svnweb.freebsd.org/changeset/base/298664
>>
>> Log:
>> msdosfs: Prevent buffer overflow when expanding win95 names
>>
>> In win2unixfn() we expand Windows 95 style long names. In some cases that
>> requires moving the data in the nbp->nb_buf buffer backwards to make room. That
>> code failed to check for overflows, leading to a stack overflow in win2unixfn().
>>
>> We now check for this event, and mark the entire conversion as failed in that
>> case. This means we present the 8 character, dos style, name instead.
>>
>> PR: 204643
>> Differential Revision: https://reviews.freebsd.org/D6015
>
> Will this be MFC'd? Since it's triggerable as non-root, should this have
> a CVE? Though the commit log shows technical comments, it doesn't show
> related security information.
Yes, I’ll put MFCing this on my todo list.
I have to admit that I’ve not given the security implications much thought. The bug has always been caught by the stack canary on my test systems, without that it could potentially be quite dangerous.
(Given constraints of having to be able to mount arbitrary file systems as non-root of course.)
Regards,
Kristof
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/svn-src-head/attachments/20160426/d7b0750d/attachment.sig>
More information about the svn-src-head
mailing list