In the Linux kernel, the following vulnerability has been resolved: ext4: fix string copying in parse_apply_sb_mount_options() strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term string of possibly bigger size. Commit 0efc5990bca5 ("string.h: Introduce memtostr() and memtostr_pad()") provides additional information in that regard. So if this happens, the following warning is observed: strnlen: detected buffer overflow: 65 byte read of buffer size 64 WARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Modules linked in: CPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Call Trace: <TASK> __fortify_panic+0x1f/0x30 lib/string_helpers.c:1039 strnlen include/linux/fortify-string.h:235 [inline] sized_strscpy include/linux/fortify-string.h:309 [inline] parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline] __ext4_fill_super fs/ext4/super.c:5261 [inline] ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706 get_tree_bdev_flags+0x387/0x620 fs/super.c:1636 vfs_get_tree+0x93/0x380 fs/super.c:1814 do_new_mount fs/namespace.c:3553 [inline] path_mount+0x6ae/0x1f70 fs/namespace.c:3880 do_mount fs/namespace.c:3893 [inline] __do_sys_mount fs/namespace.c:4103 [inline] __se_sys_mount fs/namespace.c:4080 [inline] __x64_sys_mount+0x280/0x300 fs/namespace.c:4080 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e Since userspace is expected to provide s_mount_opts field to be at most 63 characters long with the ending byte being NUL-term, use a 64-byte buffer which matches the size of s_mount_opts, so that strscpy_pad() does its job properly. Return with error if the user still managed to provide a non-NUL-term string here. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: ext4: corrige la copia de cadenas en parse_apply_sb_mount_options() strscpy_pad() no puede usarse para copiar una cadena no terminada en NUL en una cadena terminada en NUL de tamaño posiblemente mayor. El commit 0efc5990bca5 ('string.h: Introduce memtostr() y memtostr_pad()') proporciona información adicional al respecto. Así que si esto ocurre, se observa la siguiente advertencia: strnlen: desbordamiento de búfer detectado: lectura de 65 bytes de un búfer de tamaño 64 ADVERTENCIA: CPU: 0 PID: 28655 en lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Módulos enlazados: CPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 No contaminado 6.12.54-syzkaller-00144-g5f0270f1ba00 #0 Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Traza de llamada: __fortify_panic+0x1f/0x30 lib/string_helpers.c:1039 strnlen include/linux/fortify-string.h:235 [en línea] sized_strscpy include/linux/fortify-string.h:309 [en línea] parse_apply_sb_mount_options fs/ext4/super.c:2504 [en línea] __ext4_fill_super fs/ext4/super.c:5261 [en línea] ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706 get_tree_bdev_flags+0x387/0x620 fs/super.c:1636 vfs_get_tree+0x93/0x380 fs/super.c:1814 do_new_mount fs/namespace.c:3553 [en línea] path_mount+0x6ae/0x1f70 fs/namespace.c:3880 do_mount fs/namespace.c:3893 [en línea] __do_sys_mount fs/namespace.c:4103 [en línea] __se_sys_mount fs/namespace.c:4080 [en línea] __x64_sys_mount+0x280/0x300 fs/namespace.c:4080 do_syscall_x64 arch/x86/entry/common.c:52 [en línea] do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e Dado que se espera que el espacio de usuario proporcione el campo s_mount_opts de una longitud máxima de 63 caracteres con el byte final terminado en NUL, use un búfer de 64 bytes que coincida con el tamaño de s_mount_opts, para que strscpy_pad() realice su trabajo correctamente. Devuelve un error si el usuario aún logró proporcionar una cadena no terminada en NUL aquí. Encontrado por el Centro de Verificación de Linux (linuxtesting.org) con Syzkaller.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
NVD-CWE-noinfo
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdcf68640> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bcc386d00> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdcf69cc0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd869e40> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702ba6a6e500> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc50f100> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702ba6a6c0c0> | Operating System |
| linux | linux_kernel | 6.18 | <built-in method update of dict object at 0x702bdcf68bc0> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdcf6aac0> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdc50c600> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bcc387240> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bcc386000> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdd1cb300> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdc50e8c0> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bcc387e40> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bcc3870c0> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:* |