A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index, merging file name parts belonging to one file into a single, long file name.
In particular, there is a stack overflow in the exfat_get_uniname_from_ext_entry() function. This function iterates over a set of entries (in a directory index) looking for those belonging to a file name. And for each file name entry encountered in the current set, it calls the exfat_extract_uni_name() function, which copies characters from a given file name entry into the "uniname" variable. This variable is actually defined on the stack of the exfat_readdir() function. According to the definition of the "exfat_uni_name" type, the file name limit is 258 characters, but the
exfat_get_uniname_from_ext_entry() function can write more characters, because it iterates until the limit defined by the "es.num_entries" field is hit (e.g., if there are 100 file name entries, the maximum number of file name characters stored in the set is 1500, so the overflow is 1242 characters, or 2484 bytes; this situation is a file system format violation, because file names longer than 255 characters are forbidden, but the current code works this way).
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 2230448]
In reply to comment #0:
> A flaw was found in the exFAT driver of the Linux kernel. The vulnerability
> exists in the implementation of the file name reconstruction function, which
> is responsible for reading file name entries from a directory index, merging
> file name parts belonging to one file into a single, long file name.
This vulnerability was discovered by Maxim Suhanov. For more information, see his personal blog post: https://dfir.ru/2023/08/23/cve-2023-4273-a-vulnerability-in-the-linux-exfat-driver.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2023:6583 https://access.redhat.com/errata/RHSA-2023:6583