540736 – (CVE-2009-4020) CVE-2009-4020 kernel: hfs buffer overflow

Bug 540736 (CVE-2009-4020) - CVE-2009-4020 kernel: hfs buffer overflow

Summary: CVE-2009-4020 kernel: hfs buffer overflow

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2009-4020
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	540738 540739 540740 540741
Blocks:
TreeView+	depends on / blocked

Reported:	2009-11-24 00:48 UTC by Eugene Teo (Security Response)
Modified:	2021-11-12 20:02 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-07-10 16:22:07 UTC
Embargoed:

Attachments	(Terms of Use)
patch for rhel-5 (1.76 KB, patch) 2009-11-24 00:53 UTC, Eugene Teo (Security Response)	no flags	Details \| Diff
patch for kernel 2.6.31.6 (1.76 KB, patch) 2009-11-24 00:54 UTC, Eugene Teo (Security Response)	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2010:0046	0	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2010-01-19 23:36:43 UTC
Red Hat Product Errata	RHSA-2010:0076	0	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2010-02-02 20:41:06 UTC

Description Eugene Teo (Security Response) 2009-11-24 00:48:58 UTC

Description of problem:
A specially-crafted Hierarchical File System (HFS) filesystem could cause a buffer overflow to occur in a process's kernel stack during a memcpy() call within the hfs_bnode_read() function (at fs/hfs/bnode.c:24). The attacker can provide the source buffer and length, and the destination buffer is a local variable of a fixed length. This local variable (passed as "&entry" from fs/hfs/dir.c:112 and allocated on line 60) is stored in the stack frame of hfs_bnode_read()'s caller, which is hfs_readdir(). Because the hfs_readdir() function executes upon any attempt to read a directory on the filesystem, it gets called whenever a user attempts to inspect any filesystem contents.

Comment 1 Eugene Teo (Security Response) 2009-11-24 00:53:12 UTC

Created attachment 373294 [details]
patch for rhel-5

Comment 2 Eugene Teo (Security Response) 2009-11-24 00:54:53 UTC

Created attachment 373295 [details]
patch for kernel 2.6.31.6

Comment 5 Eugene Teo (Security Response) 2009-12-04 04:44:31 UTC

The patch has been added to the -mm tree:
http://marc.info/?l=linux-mm-commits&m=125987755823047&w=2

Comment 6 Eugene Teo (Security Response) 2009-12-15 23:35:48 UTC

Upstream commit:
http://git.kernel.org/linus/ec81aecb29668ad71f699f4e7b96ec46691895b6

Comment 7 Chuck Ebbert 2010-01-06 08:36:32 UTC

Fixed in 2.6.32.2, 2.6.31.9 and 2.6.27.42:
hfs-fix-a-potential-buffer-overflow.patch

Comment 8 errata-xmlrpc 2010-01-19 23:37:17 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0046 https://rhn.redhat.com/errata/RHSA-2010-0046.html

Comment 9 Aristeu Rozanski 2010-01-26 13:05:57 UTC

We don't have hfs or hfs+ enabled in RHEL6.

Comment 10 errata-xmlrpc 2010-02-02 20:41:25 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0076 https://rhn.redhat.com/errata/RHSA-2010-0076.html

Note You need to log in before you can comment on or make changes to this bug.