From owner-svn-src-head@freebsd.org Tue Apr 26 21:18:08 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8D8B8B1D793 for ; Tue, 26 Apr 2016 21:18:08 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 43BD5134A for ; Tue, 26 Apr 2016 21:18:08 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qg0-x229.google.com with SMTP id c6so11494153qga.1 for ; Tue, 26 Apr 2016 14:18:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=dHMVDB0lGQlWU88ZLRDqdqwlL7VP1hfR2fMr+ABeOZw=; b=WMz9kK0/+Bpn+UReXcFBj8+JrlUwDEH2/hJJlFSgUDH1qOhQQkDLLIa7F+XGP+cpEp 3BwoyERXs3r9KJmQrh3q/1wpt0JBZunbI64xoV2LSTrzeFRJ3Gt0mugtymwFvGMqdPzQ XX9MuZ3HZjC0cSBVkrQaTUZ0hhYQi3iGCi/tzwTBrMyW+4LBMmNkfmdN5pPQlge8lyzo rjg5ykizbxTT3vqN8MYF4j5H7WTWSeKx2Y12FFopltL4omvNhZrqS3eTDrdp3OMqpUDj oROkOncpafejeG+ouTG7VafSFIoWL897lvWwNfyn3lo3HtttDwTm1HsC1IIvv+GxggH/ qrMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=dHMVDB0lGQlWU88ZLRDqdqwlL7VP1hfR2fMr+ABeOZw=; b=P5vayghqk6f9oJZdxw9qWfzRKfoJpN5TTT3pJB/ZkULRTLfNmNc0MhtFrIqlECAt5n y1f35fqB8ANU90x/vK678eZHXfnovTt9agdasHFuyIoRA0OWoWuzScJsu2RLhGPM2n/J os4kV4strw8bPMvHwsOEArG22ONCuVrbn3bd41iUgHR1PgUe44mRw6sdg8DMw1PgQDfB Rq/c8yZHDMraeURqNFkF5C+kAHCp53CZDYRBbSZCWgLZ5nfeno1oBNhPitaCs0dJtweq CQNSHEnkm77UoWqIvBEHHcIa31HyD+CD2JXyTgl/fI5YPmBZyVUKFCEW5Z/6L21JQ3GD 2bkw== X-Gm-Message-State: AOPr4FVrEpzaVOpm2UultWTZ+mgkjZYc4u9VPyZusxe3NdLyyqax2GqOfVeYcIrMJVTEde62 X-Received: by 10.140.199.8 with SMTP id u8mr4799449qha.5.1461705487402; Tue, 26 Apr 2016 14:18:07 -0700 (PDT) Received: from mutt-hardenedbsd (c-73-135-80-144.hsd1.md.comcast.net. [73.135.80.144]) by smtp.gmail.com with ESMTPSA id f19sm206053qge.16.2016.04.26.14.18.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Apr 2016 14:18:06 -0700 (PDT) Date: Tue, 26 Apr 2016 17:18:04 -0400 From: Shawn Webb To: Kristof Provost Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r298664 - head/sys/fs/msdosfs Message-ID: <20160426211804.GB13055@mutt-hardenedbsd> References: <201604262036.u3QKaWto038435@repo.freebsd.org> <20160426210138.GA13055@mutt-hardenedbsd> <2190C480-1B7A-47F8-BFB4-D7C8E6F25385@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="jq0ap7NbKX2Kqbes" Content-Disposition: inline In-Reply-To: <2190C480-1B7A-47F8-BFB4-D7C8E6F25385@FreeBSD.org> X-Operating-System: FreeBSD mutt-hardenedbsd 11.0-CURRENT-HBSD FreeBSD 11.0-CURRENT-HBSD X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2016 21:18:08 -0000 --jq0ap7NbKX2Kqbes Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 26, 2016 at 11:05:38PM +0200, Kristof Provost wrote: >=20 > > On 26 Apr 2016, at 23:01, Shawn Webb wrote: > >=20 > > On Tue, Apr 26, 2016 at 08:36:32PM +0000, Kristof Provost wrote: > >> Author: kp > >> Date: Tue Apr 26 20:36:32 2016 > >> New Revision: 298664 > >> URL: https://svnweb.freebsd.org/changeset/base/298664 > >>=20 > >> Log: > >> msdosfs: Prevent buffer overflow when expanding win95 names > >>=20 > >> In win2unixfn() we expand Windows 95 style long names. In some cases = that > >> requires moving the data in the nbp->nb_buf buffer backwards to make = room. That > >> code failed to check for overflows, leading to a stack overflow in wi= n2unixfn(). > >>=20 > >> We now check for this event, and mark the entire conversion as failed= in that > >> case. This means we present the 8 character, dos style, name instead. > >>=20 > >> PR: 204643 > >> Differential Revision: https://reviews.freebsd.org/D6015 > >=20 > > Will this be MFC'd? Since it's triggerable as non-root, should this have > > a CVE? Though the commit log shows technical comments, it doesn't show > > related security information. >=20 > Yes, I???ll put MFCing this on my todo list. >=20 > I have to admit that I???ve not given the security implications much thou= ght. The bug has always been caught by the stack canary on my test systems,= without that it could potentially be quite dangerous. > (Given constraints of having to be able to mount arbitrary file systems a= s non-root of course.) >=20 > Regards, > Kristof Was secteam@ even involved, then? Seems like a user-facing kernel buffer overflow ought to have involved secteam@. Also, the differential revision link you posted is incorrect. Thanks, --=20 Shawn Webb HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --jq0ap7NbKX2Kqbes Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXH9sKAAoJEGqEZY9SRW7udGIP/0Z1hLdz4aZtSuYVGckBWSO8 g+sRUt3DV37xHWnQelFwxSE3xD4umDP9aGvO4PVkTmsVIdeRb9In7NZqawXrEV7U JZM/0r7r71zstnZnek45tyYUqwQammgcshDuOb2r0PdIRb/Id7cb+QAssqC+qVql amVaj/uLCkkIbbIUqYm4jVpuG1SsZYJvzHHngI8p9kpKMbHW5wY8Bg0/4k4PIefB 8KTYypJ8r+HMFYSsYL30u4YVasmF+xyg42Z5qR1vExFtwzrdiRhpG0bkFgXPy/hs LQ+8uH2KNKeRrcAjQBkVA9QeDoVMoblwVN8W7bXRGl0yyxxVsF6PV6u1vP7vF/Oz HLPje8o/RvuCLzAajyMqfTnDqDRceS7NDiPLMr0Fum/kA8wMRXFzpgNlHOtEEAnQ vUJRc/EjmwtRW+87lsfcrn6aP3XZr9LJFHB3LnWWtkytDC3quQUG87qud9FxWQcR SdHNq5radp9x/xtU4j3jJT1MEc7h5ru9jw46OPtAqyppn3R0HmdC03jkI1AIImpS Qs5S6I0HLB1Gkhs+IeXn1zWfypBLBBv4wCf7R6qXJcg38J6OqchSifni2txrifh0 Dw8oGNwyig2g7Rv4Dm27gtGRSVx6x78ckVhipaqq63NVU42k4qyGP6UMEdmqih8C yi5EWIJdj4hvVVWkaLzA =N5v9 -----END PGP SIGNATURE----- --jq0ap7NbKX2Kqbes--