CVE-2022-50581

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hfs: fix OOB Read in __hfs_brec_find<br /> <br /> Syzbot reported a OOB read bug:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-out-of-bounds in hfs_strcmp+0x117/0x190<br /> fs/hfs/string.c:84<br /> Read of size 1 at addr ffff88807eb62c4e by task kworker/u4:1/11<br /> CPU: 1 PID: 11 Comm: kworker/u4:1 Not tainted<br /> 6.1.0-rc6-syzkaller-00308-g644e9524388a #0<br /> Workqueue: writeback wb_workfn (flush-7:0)<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106<br /> print_address_description+0x74/0x340 mm/kasan/report.c:284<br /> print_report+0x107/0x1f0 mm/kasan/report.c:395<br /> kasan_report+0xcd/0x100 mm/kasan/report.c:495<br /> hfs_strcmp+0x117/0x190 fs/hfs/string.c:84<br /> __hfs_brec_find+0x213/0x5c0 fs/hfs/bfind.c:75<br /> hfs_brec_find+0x276/0x520 fs/hfs/bfind.c:138<br /> hfs_write_inode+0x34c/0xb40 fs/hfs/inode.c:462<br /> write_inode fs/fs-writeback.c:1440 [inline]<br /> <br /> If the input inode of hfs_write_inode() is incorrect:<br /> struct inode<br /> struct hfs_inode_info<br /> struct hfs_cat_key<br /> struct hfs_name<br /> u8 len # len is greater than HFS_NAMELEN(31) which is the<br /> maximum length of an HFS filename<br /> <br /> OOB read occurred:<br /> hfs_write_inode()<br /> hfs_brec_find()<br /> __hfs_brec_find()<br /> hfs_cat_keycmp()<br /> hfs_strcmp() # OOB read occurred due to len is too large<br /> <br /> Fix this by adding a Check on len in hfs_write_inode() before calling<br /> hfs_brec_find().