Bugzilla – Bug 49841
VUL-0: CVE-2004-0109: kernel: ISO9660 filesystem: buffer overflow
Last modified: 2021-10-02 08:58:23 UTC
Hi, the following (private) announcement from iDEFENDE reached us on friday. iDEFENSE has identified a buffer overflow vulnerability in the ISO9660 filesystem component of Linux kernel. This vulnerability was submitted to iDEFENSE through our Vulnerability Contributor Program (http://www.idefense.com/poi/teams/vcp.jsp). iDEFENSE Labs has validated this vulnerability and has drafted the attached advisory. In accordance with our vendor disclosure policy (http://www.idefense.com/legal_disclosure.jsp) we would request that you acknowledge receipt of this initial notification within five business days so that we may begin the process of coordinating an appropriate public disclosure date for this issue that will provide your company with adequate time to develop a patch or workaround to mitigate this vulnerability. If you have questions regarding this issue or require further details to assist with your own analysis, please do not hesitate to contact us. Regards, Michael Sutton Michael Sutton, CA, CISA Director, iDEFENSE Labs iDEFENSE 1875 Campus Commons Drive, Suite 210 Reston, VA 20191 direct: 703.480.5628 voice: 703.390.1230 fax: 703.390.9456 msutton@idefense.com www.idefense.com
<!-- SBZ_reproduce --> advisroy will be attached.
Created attachment 16111 [details] Buffer Overflow in ISO9660 Filesystem Component of Linux Kernel.txt
Date: Sun, 22 Feb 2004 10:46:00 +0000 (GMT) From: Mark J Cox <mjc@redhat.com> To: security@suse.de, security@linux-mandrake.com, security@slackware.com Subject: [security@suse.de] Re: iso9660 (fwd) Please note I've reserved CAN-2004-0109 for the iDefense reported issue in iso9660 and sent this to them. I've also suggested a disclosure date of March 10th at 1400UTC. Best Regards, Mark -- Mark J Cox / Red Hat Security Response Team
Do we already have a fix?
No, I think there will be one popping up in the next few dayson vendor-sec.
iso9660 filesystems are not used on s390(x) unless mounted via loopback. Therefore, the security problem does not apply to s390(x). Adding ihno@ to Cc:. Ihno will include the patch to his kernels, but will not trigger an update for this specific bug.
Created attachment 16235 [details] Sample exploit provided by iDEFENSE. Maybe helps to trigger stuff
I am digging with the issue now, I hope I am aple to make some senseful proposed patches which I will attach then.
Created attachment 16236 [details] Proposed patch from me. I am not a kernel hacker. I assume that the kmap() returns a address of a page, so we should not write more than PAGE_SIZE byte to this location. This chack has basically been added.
That's was the only suspicious code I found too. Maybe we cought the right one. :) Did you run tests of the little exploit against the patched kernel?
No, no tests except compilation. Thing is when the exploit doesnt work against patched kernel, it means nothing. :-)
BTW, can symlink be arbitrary long? If they can be as long as 2GB then we also need to check for integer wraps. But they probably dont fit onto a ISO9660 :)
Ok. Just tested the patch on a 2.4.22grsec kernel. Worked fine so far. The iso from the exploit did not cause anything. CD mounts etc work fine. But this is not a complete QA. Will test exploit against unpatched kernel now.
Ok. On a 2.4.18 the exploit causes an oops. So I guess the patch works.
comment #11: but if it works, it means a lot. ;)
I think we can use Sebastians patch.
Fixes are in; kernels are waiting to be checked in.
CRD: Wednesday April 14, 2004 at 1400UTC/900EST
packages approved
CVE-2004-0109: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)