https://blog.fuzzing-project.org/25-Heap-overflow-and-endless-loop-in-exfatfsck-exfat-utils.html exfat-utils is a collection of tools to work with the exFAT filesystem. Fuzzing the exfatfsck with american fuzzy lop led to the discovery of a write heap overflow and an endless loop. Especially at risk are systems that are configured to run filesystem checks automatically on external devices like USB flash drives. A malformed input can cause a write heap overflow in the function verify_vbr_checksum. It might be possible to use this for code execution. Upstream bug report https://github.com/relan/exfat/issues/5 Sample file triggering the bug https://crashes.fuzzing-project.org/exfatfsck-heap-overflow-write-verify_vbr_checksum Git commit for fix https://github.com/relan/exfat/commit/2e86ae5f81da11f11673d0546efb525af02b7786 Another malformed input can cause an endless loop, leading to a possible denial of service. Upstream bug report https://github.com/relan/exfat/issues/6 Sample file triggering the bug https://crashes.fuzzing-project.org/exfatfsck-endless-loop Git commit of fix https://github.com/relan/exfat/commit/35a1f77f9be2d8b21731f758baba4334935bf18b static uint64_t rootdir_size(const struct exfat* ef) { - uint64_t clusters = 0; + uint32_t clusters = 0; + uint32_t clusters_max = le32_to_cpu(ef->sb->cluster_count); cluster_t rootdir_cluster = le32_to_cpu(ef->sb->rootdir_cluster); - while (!CLUSTER_INVALID(rootdir_cluster)) + /* Iterate all clusters of the root directory to calculate its size. + It can't be contiguous because there is no flag to indicate this. */ + do { - clusters++; - /* root directory cannot be contiguous because there is no flag - to indicate this */ + if (clusters == clusters_max) /* infinite loop detected */ + { + exfat_error("root directory cannot occupy all %d clusters", + clusters); + return 0; + } + if (CLUSTER_INVALID(rootdir_cluster)) + { + exfat_error("bad cluster %#x while reading root directory", + rootdir_cluster); + return 0; + } rootdir_cluster = exfat_next_cluster(ef, ef->root, rootdir_cluster); + clusters++; } - if (rootdir_cluster != EXFAT_CLUSTER_END) - { - exfat_error("bad cluster %#x while reading root directory", - rootdir_cluster); - return 0; - } - return clusters * CLUSTER_SIZE(*ef->sb); + while (rootdir_cluster != EXFAT_CLUSTER_END); + + return (uint64_t) clusters * CLUSTER_SIZE(*ef->sb); } static const char* get_option(const char* options, const char* option_name) Both issues have been fixed in the latest release 1.2.1 of exfat-utils. https://github.com/relan/exfat/releases/tag/v1.2.1 -- Hanno Böck http://hboeck.de/