Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request - Linux kernel: VFAT slab-based buffer overflow
From: Greg KH <greg () kroah com>
Date: Tue, 26 Feb 2013 10:16:54 -0800

On Tue, Feb 26, 2013 at 11:56:02AM -0600, Joshua J. Drake wrote:
All,

I'd like to request a CVE for an issue leading to a buffer overflow of
a slab allocated buffer in the VFAT file system code. The issue
manifests when converting UTF8 characters to UTF16 inside the
"utf8s_to_utf16s" function. Reaching this code requires writing to a
VFAT partition that has been mounted with the "utf8" option. Ubuntu
10.04 mounts USB sticks with this option by default. Most Android
devices mount eMMC/SD cards/etc with this option.

The issue affects kernels prior to 3.2. Many Android devices remain
affected today.

I'm not entirely sure when the issue was introduced at this moment. It
appears to have been introduced here:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=74675a58507e769beee7d949dbed788af3c4139d

The issue was fixed here:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=0720a06a7518c9d0c0125bd5d1f3b6264c55c3dd

The issue was partially disclosed here (this spurred my investigation):
http://www.exploit-db.com/exploits/23248/

Props to G13 for finding it. It's pretty disappointing that
Google/Android security teams (and of course Linux maintainers) didn't
responsibly disclose the issue so other Linux kernel packagers could
package a fix.

Ok, how could the Linux maintainers have done anything about this, when
the developers involved in creating this patch didn't even realize it
was a "security" issue in the first place?

I'm tired of people complaining about how the Linux kernel developers
handle security issues, when no one seems to have a suggestion as to how
anything could actually be done better.

And note, I was one of the people involved in this patch, and I didn't
notice anything special about it, so if you want to blame anyone, blame
me for not tagging it for inclusion in the stable kernel releases.

greg k-h


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault