Date: Tue, 26 Apr 2016 23:05:38 +0200 From: Kristof Provost <kp@FreeBSD.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r298664 - head/sys/fs/msdosfs Message-ID: <2190C480-1B7A-47F8-BFB4-D7C8E6F25385@FreeBSD.org> In-Reply-To: <20160426210138.GA13055@mutt-hardenedbsd> References: <201604262036.u3QKaWto038435@repo.freebsd.org> <20160426210138.GA13055@mutt-hardenedbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] > On 26 Apr 2016, at 23:01, Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > > On Tue, Apr 26, 2016 at 08:36:32PM +0000, Kristof Provost wrote: >> Author: kp >> Date: Tue Apr 26 20:36:32 2016 >> New Revision: 298664 >> URL: https://svnweb.freebsd.org/changeset/base/298664 >> >> Log: >> msdosfs: Prevent buffer overflow when expanding win95 names >> >> In win2unixfn() we expand Windows 95 style long names. In some cases that >> requires moving the data in the nbp->nb_buf buffer backwards to make room. That >> code failed to check for overflows, leading to a stack overflow in win2unixfn(). >> >> We now check for this event, and mark the entire conversion as failed in that >> case. This means we present the 8 character, dos style, name instead. >> >> PR: 204643 >> Differential Revision: https://reviews.freebsd.org/D6015 > > Will this be MFC'd? Since it's triggerable as non-root, should this have > a CVE? Though the commit log shows technical comments, it doesn't show > related security information. Yes, I’ll put MFCing this on my todo list. I have to admit that I’ve not given the security implications much thought. The bug has always been caught by the stack canary on my test systems, without that it could potentially be quite dangerous. (Given constraints of having to be able to mount arbitrary file systems as non-root of course.) Regards, Kristof [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJXH9goAAoJEG/E3HH7XkpG+voIAIGwautrT/grlDNfJtfFT9e5 iXH2ct42dM52pRKHO2oF8lpgcuvbYWrrGJ6IkEwi1QchfSSFrEhTONRIWagPRLSD pZyU/n515ez9jyxaetSQyr59tOd4Tx9SmOTrNvWtF2xlZBYQKXcqZoeHVtvqw5p7 /1yyrE/Sbs/IXErNpDvjbx0vJRVWvelLhhrOIzCoF65/Gu0hj/BPKMJL9xvc/oPr i92L7ZRXG+tNYIqMOUowNXYjC0OdPmyVURxh8TVcSNtl7LLdohw9iaAMGFDkldfI zN+R8UnWb691wx89XI8KB9FZbqqI12MK7HrzLnTpUjs1T3bZJhALHq2ZP+M/Y0g= =Ffbo -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2190C480-1B7A-47F8-BFB4-D7C8E6F25385>