Bug 2221609 (CVE-2023-4273) - CVE-2023-4273 kernel: exFAT: stack overflow in exfat_get_uniname_from_ext_entry
Summary: CVE-2023-4273 kernel: exFAT: stack overflow in exfat_get_uniname_from_ext_entry
Keywords:
Status: NEW
Alias: CVE-2023-4273
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2221610 2221611 2230448 2230452
Blocks: 2221604
TreeView+ depends on / blocked
 
Reported: 2023-07-10 09:50 UTC by Mauro Matteo Cascella
Modified: 2023-11-09 07:11 UTC (History)
48 users (show)

Fixed In Version: kernel 6.5-rc5
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:6835 0 None None None 2023-11-09 07:11:05 UTC
Red Hat Product Errata RHSA-2023:6583 0 None None None 2023-11-07 08:20:41 UTC

Description Mauro Matteo Cascella 2023-07-10 09:50:35 UTC 
A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index, merging file name parts belonging to one file into a single, long file name.

In particular, there is a stack overflow in the exfat_get_uniname_from_ext_entry() function. This function iterates over a set of entries (in a directory index) looking for those belonging to a file name. And for each file name entry encountered in the current set, it calls the exfat_extract_uni_name() function, which copies characters from a given file name entry into the "uniname" variable. This variable is actually defined on the stack of the exfat_readdir() function. According to the definition of the "exfat_uni_name" type, the file name limit is 258 characters, but the
exfat_get_uniname_from_ext_entry() function can write more characters, because it iterates until the limit defined by the "es.num_entries" field is hit (e.g., if there are 100 file name entries, the maximum number of file name characters stored in the set is 1500, so the overflow is 1242 characters, or 2484 bytes; this situation is a file system format violation, because file names longer than 255 characters are forbidden, but the current code works this way).
Comment 2 Mauro Matteo Cascella 2023-08-09 13:00:36 UTC 
Upstream fix:
https://github.com/torvalds/linux/commit/d42334578eba1390859012ebb91e1e556d51db49
Comment 3 Mauro Matteo Cascella 2023-08-09 13:01:56 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2230448]
Comment 5 Mauro Matteo Cascella 2023-08-28 08:55:30 UTC 
In reply to comment #0:
> A flaw was found in the exFAT driver of the Linux kernel. The vulnerability
> exists in the implementation of the file name reconstruction function, which
> is responsible for reading file name entries from a directory index, merging
> file name parts belonging to one file into a single, long file name.

This vulnerability was discovered by Maxim Suhanov. For more information, see his personal blog post: https://dfir.ru/2023/08/23/cve-2023-4273-a-vulnerability-in-the-linux-exfat-driver.
Comment 6 errata-xmlrpc 2023-11-07 08:20:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6583 https://access.redhat.com/errata/RHSA-2023:6583
Note You need to log in before you can comment on or make changes to this bug.