Date: Tue, 26 Apr 2016 23:05:38 +0200 From: Kristof Provost <kp@FreeBSD.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r298664 - head/sys/fs/msdosfs Message-ID: <2190C480-1B7A-47F8-BFB4-D7C8E6F25385@FreeBSD.org> In-Reply-To: <20160426210138.GA13055@mutt-hardenedbsd> References: <201604262036.u3QKaWto038435@repo.freebsd.org> <20160426210138.GA13055@mutt-hardenedbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_EED010A7-EECE-42D6-8960-656834DE794B Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 26 Apr 2016, at 23:01, Shawn Webb <shawn.webb@hardenedbsd.org> = wrote: >=20 > On Tue, Apr 26, 2016 at 08:36:32PM +0000, Kristof Provost wrote: >> Author: kp >> Date: Tue Apr 26 20:36:32 2016 >> New Revision: 298664 >> URL: https://svnweb.freebsd.org/changeset/base/298664 >>=20 >> Log: >> msdosfs: Prevent buffer overflow when expanding win95 names >>=20 >> In win2unixfn() we expand Windows 95 style long names. In some cases = that >> requires moving the data in the nbp->nb_buf buffer backwards to make = room. That >> code failed to check for overflows, leading to a stack overflow in = win2unixfn(). >>=20 >> We now check for this event, and mark the entire conversion as = failed in that >> case. This means we present the 8 character, dos style, name = instead. >>=20 >> PR: 204643 >> Differential Revision: https://reviews.freebsd.org/D6015 >=20 > Will this be MFC'd? Since it's triggerable as non-root, should this = have > a CVE? Though the commit log shows technical comments, it doesn't show > related security information. Yes, I=E2=80=99ll put MFCing this on my todo list. I have to admit that I=E2=80=99ve not given the security implications = much thought. The bug has always been caught by the stack canary on my = test systems, without that it could potentially be quite dangerous. (Given constraints of having to be able to mount arbitrary file systems = as non-root of course.) Regards, Kristof --Apple-Mail=_EED010A7-EECE-42D6-8960-656834DE794B Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJXH9goAAoJEG/E3HH7XkpG+voIAIGwautrT/grlDNfJtfFT9e5 iXH2ct42dM52pRKHO2oF8lpgcuvbYWrrGJ6IkEwi1QchfSSFrEhTONRIWagPRLSD pZyU/n515ez9jyxaetSQyr59tOd4Tx9SmOTrNvWtF2xlZBYQKXcqZoeHVtvqw5p7 /1yyrE/Sbs/IXErNpDvjbx0vJRVWvelLhhrOIzCoF65/Gu0hj/BPKMJL9xvc/oPr i92L7ZRXG+tNYIqMOUowNXYjC0OdPmyVURxh8TVcSNtl7LLdohw9iaAMGFDkldfI zN+R8UnWb691wx89XI8KB9FZbqqI12MK7HrzLnTpUjs1T3bZJhALHq2ZP+M/Y0g= =Ffbo -----END PGP SIGNATURE----- --Apple-Mail=_EED010A7-EECE-42D6-8960-656834DE794B--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2190C480-1B7A-47F8-BFB4-D7C8E6F25385>