Bug 2221609 (CVE-2023-4273)

Summary: CVE-2023-4273 kernel: exFAT: stack overflow in exfat_get_uniname_from_ext_entry
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, crwood, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, ikent, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, ldoskova, lgoncalv, lzampier, nmurray, ptalbert, qzhao, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, security-response-team, tglozar, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.5-rc5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2221610, 2221611, 2230448, 2230452    
Bug Blocks: 2221604    

Description Mauro Matteo Cascella 2023-07-10 09:50:35 UTC 
A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index, merging file name parts belonging to one file into a single, long file name.

In particular, there is a stack overflow in the exfat_get_uniname_from_ext_entry() function. This function iterates over a set of entries (in a directory index) looking for those belonging to a file name. And for each file name entry encountered in the current set, it calls the exfat_extract_uni_name() function, which copies characters from a given file name entry into the "uniname" variable. This variable is actually defined on the stack of the exfat_readdir() function. According to the definition of the "exfat_uni_name" type, the file name limit is 258 characters, but the
exfat_get_uniname_from_ext_entry() function can write more characters, because it iterates until the limit defined by the "es.num_entries" field is hit (e.g., if there are 100 file name entries, the maximum number of file name characters stored in the set is 1500, so the overflow is 1242 characters, or 2484 bytes; this situation is a file system format violation, because file names longer than 255 characters are forbidden, but the current code works this way).
Comment 2 Mauro Matteo Cascella 2023-08-09 13:00:36 UTC 
Upstream fix:
https://github.com/torvalds/linux/commit/d42334578eba1390859012ebb91e1e556d51db49
Comment 3 Mauro Matteo Cascella 2023-08-09 13:01:56 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2230448]
Comment 5 Mauro Matteo Cascella 2023-08-28 08:55:30 UTC 
In reply to comment #0:
> A flaw was found in the exFAT driver of the Linux kernel. The vulnerability
> exists in the implementation of the file name reconstruction function, which
> is responsible for reading file name entries from a directory index, merging
> file name parts belonging to one file into a single, long file name.

This vulnerability was discovered by Maxim Suhanov. For more information, see his personal blog post: https://dfir.ru/2023/08/23/cve-2023-4273-a-vulnerability-in-the-linux-exfat-driver.
Comment 6 errata-xmlrpc 2023-11-07 08:20:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6583 https://access.redhat.com/errata/RHSA-2023:6583