mailing list archives
[PRE-SA-2012-03] Linux kernel: Buffer overflow in HFS plus filesystem
From: Timo Warns <warns () pre-sense de>
Date: Wed, 16 May 2012 16:04:20 +0200
PRE-CERT Security Advisory
* Advisory: PRE-SA-2012-03
* Released on: 10 May 2012
* Affected product: Linux Kernel 3.3.x <= 3.3.4
2.6.x <= 22.214.171.124
* Impact: code execution / privilege escalation
* Origin: HFS plus file system
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2012-2319
The Linux kernel contains a vulnerability in the driver for HFS plus
file systems that may be exploited for code execution or privilege
A specially-crafted HFS plus filesystem can cause a buffer overflow via
the memcpy() call of hfs_bnode_read() (in fs/hfsplus/bnode.c). The
hfsplus_rename_cat() (in fs/hfsplus/catalog.c) and
hfsplus_readdir() (in fs/hfsplus/dir.c)
call hfs_bnode_read() with values that result in a memcpy() call with
a fixed-length destination buffer and both, a source buffer and length,
that are read from the filesystem without sufficient validation.
The buffer overflows were previously fixed in the HFS filesystem driver
and have been assigned CVE-2009-4020
(commit ec81aecb29668ad71f699f4e7b96ec46691895b6 ).
Commit 6f24f892871acc47b40dd594c63606a17c714f77 ("hfsplus: fix
a potential buffer overflow")  also fixes the issue in the HFS plus
Compile and use a kernel that does not support the HFS plus file system.
The corresponding configuration key is CONFIG_HFSPLUS_FS.
A patch is available at
The issue has been fixed in Linux 3.3.5.
When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:
PRE-CERT can be reached under precert () pre-secure de For PGP key
information, refer to http://www.pre-cert.de/.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- [PRE-SA-2012-03] Linux kernel: Buffer overflow in HFS plus filesystem Timo Warns (May 16)