Bug 540736 (CVE-2009-4020) - CVE-2009-4020 kernel: hfs buffer overflow
Summary: CVE-2009-4020 kernel: hfs buffer overflow
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-4020
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20091204,reported=20091124,sou...
Depends On: 540738 540739 540740 540741
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-24 00:48 UTC by Eugene Teo (Security Response)
Modified: 2019-06-08 12:52 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-10 16:22:07 UTC


Attachments (Terms of Use)
patch for rhel-5 (1.76 KB, patch)
2009-11-24 00:53 UTC, Eugene Teo (Security Response)
no flags Details | Diff
patch for kernel 2.6.31.6 (1.76 KB, patch)
2009-11-24 00:54 UTC, Eugene Teo (Security Response)
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0046 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-01-19 23:36:43 UTC
Red Hat Product Errata RHSA-2010:0076 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-02-02 20:41:06 UTC

Description Eugene Teo (Security Response) 2009-11-24 00:48:58 UTC
Description of problem:
A specially-crafted Hierarchical File System (HFS) filesystem could cause a buffer overflow to occur in a process's kernel stack during a memcpy() call within the hfs_bnode_read() function (at fs/hfs/bnode.c:24). The attacker can provide the source buffer and length, and the destination buffer is a local variable of a fixed length. This local variable (passed as "&entry" from fs/hfs/dir.c:112 and allocated on line 60) is stored in the stack frame of hfs_bnode_read()'s caller, which is hfs_readdir(). Because the hfs_readdir() function executes upon any attempt to read a directory on the filesystem, it gets called whenever a user attempts to inspect any filesystem contents.

Comment 1 Eugene Teo (Security Response) 2009-11-24 00:53:12 UTC
Created attachment 373294 [details]
patch for rhel-5

Comment 2 Eugene Teo (Security Response) 2009-11-24 00:54:53 UTC
Created attachment 373295 [details]
patch for kernel 2.6.31.6

Comment 5 Eugene Teo (Security Response) 2009-12-04 04:44:31 UTC
The patch has been added to the -mm tree:
http://marc.info/?l=linux-mm-commits&m=125987755823047&w=2

Comment 6 Eugene Teo (Security Response) 2009-12-15 23:35:48 UTC
Upstream commit:
http://git.kernel.org/linus/ec81aecb29668ad71f699f4e7b96ec46691895b6

Comment 7 Chuck Ebbert 2010-01-06 08:36:32 UTC
Fixed in 2.6.32.2, 2.6.31.9 and 2.6.27.42:
hfs-fix-a-potential-buffer-overflow.patch

Comment 8 errata-xmlrpc 2010-01-19 23:37:17 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0046 https://rhn.redhat.com/errata/RHSA-2010-0046.html

Comment 9 Aristeu Rozanski 2010-01-26 13:05:57 UTC
We don't have hfs or hfs+ enabled in RHEL6.

Comment 10 errata-xmlrpc 2010-02-02 20:41:25 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0076 https://rhn.redhat.com/errata/RHSA-2010-0076.html


Note You need to log in before you can comment on or make changes to this bug.