CVE-2022-50581
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
22/10/2025
Última modificación:
22/10/2025
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
hfs: fix OOB Read in __hfs_brec_find<br />
<br />
Syzbot reported a OOB read bug:<br />
<br />
==================================================================<br />
BUG: KASAN: slab-out-of-bounds in hfs_strcmp+0x117/0x190<br />
fs/hfs/string.c:84<br />
Read of size 1 at addr ffff88807eb62c4e by task kworker/u4:1/11<br />
CPU: 1 PID: 11 Comm: kworker/u4:1 Not tainted<br />
6.1.0-rc6-syzkaller-00308-g644e9524388a #0<br />
Workqueue: writeback wb_workfn (flush-7:0)<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:88 [inline]<br />
dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106<br />
print_address_description+0x74/0x340 mm/kasan/report.c:284<br />
print_report+0x107/0x1f0 mm/kasan/report.c:395<br />
kasan_report+0xcd/0x100 mm/kasan/report.c:495<br />
hfs_strcmp+0x117/0x190 fs/hfs/string.c:84<br />
__hfs_brec_find+0x213/0x5c0 fs/hfs/bfind.c:75<br />
hfs_brec_find+0x276/0x520 fs/hfs/bfind.c:138<br />
hfs_write_inode+0x34c/0xb40 fs/hfs/inode.c:462<br />
write_inode fs/fs-writeback.c:1440 [inline]<br />
<br />
If the input inode of hfs_write_inode() is incorrect:<br />
struct inode<br />
struct hfs_inode_info<br />
struct hfs_cat_key<br />
struct hfs_name<br />
u8 len # len is greater than HFS_NAMELEN(31) which is the<br />
maximum length of an HFS filename<br />
<br />
OOB read occurred:<br />
hfs_write_inode()<br />
hfs_brec_find()<br />
__hfs_brec_find()<br />
hfs_cat_keycmp()<br />
hfs_strcmp() # OOB read occurred due to len is too large<br />
<br />
Fix this by adding a Check on len in hfs_write_inode() before calling<br />
hfs_brec_find().
Impacto
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/2344f17c0a89c181ab1a9fef57fd8c3bddfd6e30
- https://git.kernel.org/stable/c/367296925c7625c3969d2a78d7a3e1dee161beb5
- https://git.kernel.org/stable/c/4fd3a11804c8877ff11fec59c5c53f1635331e3e
- https://git.kernel.org/stable/c/8c40f2dbae603ef0bd21e87c63f54ec59fd88256
- https://git.kernel.org/stable/c/8d824e69d9f3fa3121b2dda25053bae71e2460d2
- https://git.kernel.org/stable/c/90103ccb6e60aa4efe48993d23d6a528472f2233
- https://git.kernel.org/stable/c/bfc9d8f27f89717431a6aecce42ae230b437433f
- https://git.kernel.org/stable/c/c886c10a6eddb99923b315f42bf63f448883ef9a
- https://git.kernel.org/stable/c/e9e692917c6e10a7066c7a6d092dcdc3d4e329f3