Impact: A maliciously crafted file system may cause unexpected system shutdown or arbitrary code execution Description: A heap-based buffer overflow issue existed in the handling of HFS resource forks. A maliciously crafted filesystem may cause an unexpected system shutdown or arbitrary code execution with kernel privileges. The issue was addressed through improved bounds checking. MACOS X 10.9 CODE http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vnops.c ================= /* * Supply hfs_getnewvnode with a component name. */ cn.cn_pnbuf = NULL; if (descptr->cd_nameptr) { MALLOC_ZONE(cn.cn_pnbuf, caddr_t, MAXPATHLEN, M_NAMEI, M_WAITOK); cn.cn_nameiop = LOOKUP; cn.cn_flags = ISLASTCN | HASBUF; cn.cn_context = NULL; cn.cn_pnlen = MAXPATHLEN; cn.cn_nameptr = cn.cn_pnbuf; cn.cn_hash = 0; cn.cn_consume = 0; cn.cn_namelen = snprintf(cn.cn_nameptr, MAXPATHLEN, <=============== "%s%s", descptr->cd_nameptr, _PATH_RSRCFORKSPEC); } ================= MACOS X 10.10 CODE http://opensource.apple.com/source/xnu/xnu-2782.1.97/bsd/hfs/hfs_vnops.c ================= /* * Supply hfs_getnewvnode with a component name. */ cn.cn_pnbuf = NULL; if (descptr->cd_nameptr) { MALLOC_ZONE(cn.cn_pnbuf, caddr_t, MAXPATHLEN, M_NAMEI, M_WAITOK); cn.cn_nameiop = LOOKUP; cn.cn_flags = ISLASTCN | HASBUF; cn.cn_context = NULL; cn.cn_pnlen = MAXPATHLEN; cn.cn_nameptr = cn.cn_pnbuf; cn.cn_hash = 0; cn.cn_consume = 0; cn.cn_namelen = snprintf(cn.cn_nameptr, MAXPATHLEN, <====================== "%s%s", descptr->cd_nameptr, _PATH_RSRCFORKSPEC); // Should never happen because cn.cn_nameptr won't ever be long... <=============== if (cn.cn_namelen >= MAXPATHLEN) { <================================== FREE_ZONE(cn.cn_pnbuf, cn.cn_pnlen, M_NAMEI); return ENAMETOOLONG; } } ================= funny comment Vulnerability discovered by tool cifrex.org for static code analysis More: http://cxsecurity.com/issue/WLB-2014040027