From owner-svn-src-head@freebsd.org Tue Apr 26 21:05:49 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 66F95B1D236; Tue, 26 Apr 2016 21:05:49 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1351A1020; Tue, 26 Apr 2016 21:05:49 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [IPv6:2a02:1811:2419:4e02:8d7d:588c:ce11:391d] (unknown [IPv6:2a02:1811:2419:4e02:8d7d:588c:ce11:391d]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 79F6A20DD3; Tue, 26 Apr 2016 23:05:45 +0200 (CEST) Subject: Re: svn commit: r298664 - head/sys/fs/msdosfs Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Content-Type: multipart/signed; boundary="Apple-Mail=_EED010A7-EECE-42D6-8960-656834DE794B"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Pgp-Agent: GPGMail 2.6b2 From: Kristof Provost X-Checked-By-Nsa: Probably In-Reply-To: <20160426210138.GA13055@mutt-hardenedbsd> Date: Tue, 26 Apr 2016 23:05:38 +0200 Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Message-Id: <2190C480-1B7A-47F8-BFB4-D7C8E6F25385@FreeBSD.org> References: <201604262036.u3QKaWto038435@repo.freebsd.org> <20160426210138.GA13055@mutt-hardenedbsd> To: Shawn Webb X-Mailer: Apple Mail (2.3124) X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2016 21:05:49 -0000 --Apple-Mail=_EED010A7-EECE-42D6-8960-656834DE794B Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 26 Apr 2016, at 23:01, Shawn Webb = wrote: >=20 > On Tue, Apr 26, 2016 at 08:36:32PM +0000, Kristof Provost wrote: >> Author: kp >> Date: Tue Apr 26 20:36:32 2016 >> New Revision: 298664 >> URL: https://svnweb.freebsd.org/changeset/base/298664 >>=20 >> Log: >> msdosfs: Prevent buffer overflow when expanding win95 names >>=20 >> In win2unixfn() we expand Windows 95 style long names. In some cases = that >> requires moving the data in the nbp->nb_buf buffer backwards to make = room. That >> code failed to check for overflows, leading to a stack overflow in = win2unixfn(). >>=20 >> We now check for this event, and mark the entire conversion as = failed in that >> case. This means we present the 8 character, dos style, name = instead. >>=20 >> PR: 204643 >> Differential Revision: https://reviews.freebsd.org/D6015 >=20 > Will this be MFC'd? Since it's triggerable as non-root, should this = have > a CVE? Though the commit log shows technical comments, it doesn't show > related security information. Yes, I=E2=80=99ll put MFCing this on my todo list. I have to admit that I=E2=80=99ve not given the security implications = much thought. The bug has always been caught by the stack canary on my = test systems, without that it could potentially be quite dangerous. (Given constraints of having to be able to mount arbitrary file systems = as non-root of course.) Regards, Kristof --Apple-Mail=_EED010A7-EECE-42D6-8960-656834DE794B Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJXH9goAAoJEG/E3HH7XkpG+voIAIGwautrT/grlDNfJtfFT9e5 iXH2ct42dM52pRKHO2oF8lpgcuvbYWrrGJ6IkEwi1QchfSSFrEhTONRIWagPRLSD pZyU/n515ez9jyxaetSQyr59tOd4Tx9SmOTrNvWtF2xlZBYQKXcqZoeHVtvqw5p7 /1yyrE/Sbs/IXErNpDvjbx0vJRVWvelLhhrOIzCoF65/Gu0hj/BPKMJL9xvc/oPr i92L7ZRXG+tNYIqMOUowNXYjC0OdPmyVURxh8TVcSNtl7LLdohw9iaAMGFDkldfI zN+R8UnWb691wx89XI8KB9FZbqqI12MK7HrzLnTpUjs1T3bZJhALHq2ZP+M/Y0g= =Ffbo -----END PGP SIGNATURE----- --Apple-Mail=_EED010A7-EECE-42D6-8960-656834DE794B--