Bugzilla – Bug 49841
VUL-0: CVE-2004-0109: kernel: ISO9660 filesystem: buffer overflow
Last modified: 2021-10-02 08:58:23 UTC
the following (private) announcement from iDEFENDE reached us on friday.
iDEFENSE has identified a buffer overflow vulnerability in the ISO9660
filesystem component of Linux kernel. This vulnerability was submitted
to iDEFENSE through our Vulnerability Contributor Program
(http://www.idefense.com/poi/teams/vcp.jsp). iDEFENSE Labs has validated
this vulnerability and has drafted the attached advisory. In accordance
with our vendor disclosure policy
(http://www.idefense.com/legal_disclosure.jsp) we would request that you
acknowledge receipt of this initial notification within five business
days so that we may begin the process of coordinating an appropriate
public disclosure date for this issue that will provide your company
with adequate time to develop a patch or workaround to mitigate this
vulnerability. If you have questions regarding this issue or require
further details to assist with your own analysis, please do not hesitate
to contact us.
Michael Sutton, CA, CISA
Director, iDEFENSE Labs
1875 Campus Commons Drive, Suite 210
Reston, VA 20191
<!-- SBZ_reproduce -->
advisroy will be attached.
Created attachment 16111 [details]
Buffer Overflow in ISO9660 Filesystem Component of Linux Kernel.txt
Date: Sun, 22 Feb 2004 10:46:00 +0000 (GMT)
From: Mark J Cox <firstname.lastname@example.org>
To: email@example.com, firstname.lastname@example.org, email@example.com
Subject: [firstname.lastname@example.org] Re: iso9660 (fwd)
Please note I've reserved CAN-2004-0109 for the iDefense reported issue in
iso9660 and sent this to them.
I've also suggested a disclosure date of March 10th at 1400UTC.
Best Regards, Mark
Mark J Cox / Red Hat Security Response Team
Do we already have a fix?
I think there will be one popping up in the next few dayson vendor-sec.
iso9660 filesystems are not used on s390(x) unless mounted via loopback.
Therefore, the security problem does not apply to s390(x). Adding ihno@ to Cc:.
Ihno will include the patch to his kernels, but will not trigger an update
for this specific bug.
Created attachment 16235 [details]
Sample exploit provided by iDEFENSE. Maybe helps to trigger stuff
I am digging with the issue now, I hope I am aple to make
some senseful proposed patches which I will attach then.
Created attachment 16236 [details]
Proposed patch from me.
I am not a kernel hacker. I assume that the kmap()
returns a address of a page, so we
should not write more than PAGE_SIZE byte
to this location. This chack has basically been
That's was the only suspicious code I found too. Maybe we cought the right
Did you run tests of the little exploit against the patched kernel?
No, no tests except compilation.
Thing is when the exploit doesnt work against patched kernel,
it means nothing. :-)
BTW, can symlink be arbitrary long?
If they can be as long as 2GB then we also need to
check for integer wraps. But they probably dont fit
onto a ISO9660 :)
Ok. Just tested the patch on a 2.4.22grsec kernel. Worked
fine so far. The iso from the exploit did not cause
anything. CD mounts etc work fine. But this is not
a complete QA. Will test exploit against unpatched kernel now.
Ok. On a 2.4.18 the exploit causes an oops.
So I guess the patch works.
comment #11: but if it works, it means a lot. ;)
I think we can use Sebastians patch.
Fixes are in; kernels are waiting to be checked in.
CRD: Wednesday April 14, 2004 at 1400UTC/900EST
CVE-2004-0109: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)