File: CVE-2023-45897-out-of-bounds-memory-access

package info (click to toggle)
exfatprogs 1.2.0-1%2Bdeb12u1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 1,996 kB
  • sloc: ansic: 6,310; sh: 4,154; makefile: 52
file content (67 lines) | stat: -rw-r--r-- 2,525 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
 
Description: CVE-2023-45897 out-of-bounds memory access
Origin: https://github.com/exfatprogs/exfatprogs/commit/ec78688e5fb5a70e13df82b4c0da1e6228d3ccdf
 https://github.com/exfatprogs/exfatprogs/commit/22d0e43e8d24119cbfc6efafabb0dec6517a86c4
 https://github.com/exfatprogs/exfatprogs/commit/4abc55e976573991e6a1117bb2b3711e59da07ae
Last-Update: 2023-10-31
Index: exfatprogs/exfat2img/exfat2img.c
===================================================================
--- exfatprogs.orig/exfat2img/exfat2img.c
+++ exfatprogs/exfat2img/exfat2img.c
@@ -319,7 +319,7 @@ static int read_file_dentry_set(struct e
 	if (!node)
 		return -ENOMEM;
 
-	for (i = 2; i <= file_de->file_num_ext; i++) {
+	for (i = 2; i <= MIN(file_de->file_num_ext, 1 + MAX_NAME_DENTRIES); i++) {
 		ret = exfat_de_iter_get(iter, i, &dentry);
 		if (ret || dentry->type != EXFAT_NAME)
 			break;
Index: exfatprogs/fsck/fsck.c
===================================================================
--- exfatprogs.orig/fsck/fsck.c
+++ exfatprogs/fsck/fsck.c
@@ -769,7 +769,7 @@ ask_again:
 		char *rename = NULL;
 		__u16 hash;
 		struct exfat_dentry *stream_de;
-		int name_len, ret;
+		int ret;
 
 		switch (num) {
 		case 1:
@@ -798,11 +798,11 @@ ask_again:
 		if (ret < 0)
 			return ret;
 
+		ret >>=1;
 		memcpy(dentry->name_unicode, utf16_name, ENTRY_NAME_MAX * 2);
-		name_len = exfat_utf16_len(utf16_name, ENTRY_NAME_MAX * 2);
-		hash = exfat_calc_name_hash(iter->exfat, utf16_name, (int)name_len);
+		hash = exfat_calc_name_hash(iter->exfat, utf16_name, ret);
 		exfat_de_iter_get_dirty(iter, 1, &stream_de);
-		stream_de->stream_name_len = (__u8)name_len;
+		stream_de->stream_name_len = (__u8)ret;
 		stream_de->stream_name_hash = cpu_to_le16(hash);
 	}
 
@@ -856,7 +856,7 @@ static int read_file_dentry_set(struct e
 	if (!node)
 		return -ENOMEM;
 
-	for (i = 2; i <= file_de->file_num_ext; i++) {
+	for (i = 2; i <= MIN(file_de->file_num_ext, 1 + MAX_NAME_DENTRIES); i++) {
 		ret = exfat_de_iter_get(iter, i, &dentry);
 		if (ret || dentry->type != EXFAT_NAME) {
 			if (i > 2 && repair_file_ask(iter, NULL, ER_DE_NAME,
Index: exfatprogs/include/exfat_ondisk.h
===================================================================
--- exfatprogs.orig/include/exfat_ondisk.h
+++ exfatprogs/include/exfat_ondisk.h
@@ -40,6 +40,7 @@
 /* exFAT allows 8388608(256MB) directory entries */
 #define MAX_EXFAT_DENTRIES	8388608
 #define MIN_FILE_DENTRIES	3
+#define MAX_NAME_DENTRIES	17
 
 /* dentry types */
 #define MSDOS_DELETED		0xE5	/* deleted mark */