CVE-2022-50747

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hfs: Fix OOB Write in hfs_asc2mac<br /> <br /> Syzbot reported a OOB Write bug:<br /> <br /> loop0: detected capacity change from 0 to 64<br /> ==================================================================<br /> BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0<br /> fs/hfs/trans.c:133<br /> Write of size 1 at addr ffff88801848314e by task syz-executor391/3632<br /> <br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106<br /> print_address_description+0x74/0x340 mm/kasan/report.c:284<br /> print_report+0x107/0x1f0 mm/kasan/report.c:395<br /> kasan_report+0xcd/0x100 mm/kasan/report.c:495<br /> hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133<br /> hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28<br /> hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31<br /> lookup_open fs/namei.c:3391 [inline]<br /> open_last_lookups fs/namei.c:3481 [inline]<br /> path_openat+0x10e6/0x2df0 fs/namei.c:3710<br /> do_filp_open+0x264/0x4f0 fs/namei.c:3740<br /> <br /> If in-&gt;len is much larger than HFS_NAMELEN(31) which is the maximum<br /> length of an HFS filename, a OOB write could occur in hfs_asc2mac(). In<br /> that case, when the dst reaches the boundary, the srclen is still<br /> greater than 0, which causes a OOB write.<br /> Fix this by adding a check on dstlen in while() before writing to dst<br /> address.