exfatfsck / exfat-utils Heap overflow and endless loop

2015.10.24

Credit: Hanno Böck

Risk: High

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

https://blog.fuzzing-project.org/25-Heap-overflow-and-endless-loop-in-exfatfsck-exfat-utils.html
exfat-utils is a collection of tools to work with the exFAT filesystem. Fuzzing the exfatfsck with american fuzzy lop led to the discovery of a write heap overflow and an endless loop.
Especially at risk are systems that are configured to run filesystem checks automatically on external devices like USB flash drives.
A malformed input can cause a write heap overflow in the function verify_vbr_checksum. It might be possible to use this for code execution.
Upstream bug report
https://github.com/relan/exfat/issues/5
Sample file triggering the bug
https://crashes.fuzzing-project.org/exfatfsck-heap-overflow-write-verify_vbr_checksum
Git commit for fix
https://github.com/relan/exfat/commit/2e86ae5f81da11f11673d0546efb525af02b7786
Another malformed input can cause an endless loop, leading to a possible denial of service.
Upstream bug report
https://github.com/relan/exfat/issues/6
Sample file triggering the bug
https://crashes.fuzzing-project.org/exfatfsck-endless-loop
Git commit of fix
https://github.com/relan/exfat/commit/35a1f77f9be2d8b21731f758baba4334935bf18b
static uint64_t rootdir_size(const struct exfat* ef)
{
- uint64_t clusters = 0;
+ uint32_t clusters = 0;
+ uint32_t clusters_max = le32_to_cpu(ef->sb->cluster_count);
cluster_t rootdir_cluster = le32_to_cpu(ef->sb->rootdir_cluster);
- while (!CLUSTER_INVALID(rootdir_cluster))
+ /* Iterate all clusters of the root directory to calculate its size.
+ It can't be contiguous because there is no flag to indicate this. */
+ do
{
- clusters++;
- /* root directory cannot be contiguous because there is no flag
- to indicate this */
+ if (clusters == clusters_max) /* infinite loop detected */
+ {
+ exfat_error("root directory cannot occupy all %d clusters",
+ clusters);
+ return 0;
+ }
+ if (CLUSTER_INVALID(rootdir_cluster))
+ {
+ exfat_error("bad cluster %#x while reading root directory",
+ rootdir_cluster);
+ return 0;
+ }
rootdir_cluster = exfat_next_cluster(ef, ef->root, rootdir_cluster);
+ clusters++;
}
- if (rootdir_cluster != EXFAT_CLUSTER_END)
- {
- exfat_error("bad cluster %#x while reading root directory",
- rootdir_cluster);
- return 0;
- }
- return clusters * CLUSTER_SIZE(*ef->sb);
+ while (rootdir_cluster != EXFAT_CLUSTER_END);
+
+ return (uint64_t) clusters * CLUSTER_SIZE(*ef->sb);
}
static const char* get_option(const char* options, const char* option_name)
Both issues have been fixed in the latest release 1.2.1 of exfat-utils.
https://github.com/relan/exfat/releases/tag/v1.2.1
--
Hanno Böck
http://hboeck.de/

References:

https://blog.fuzzing-project.org/25-Heap-overflow-and-endless-loop-in-exfatfsck-exfat-utils.html

https://github.com/relan/exfat/issues/5

https://crashes.fuzzing-project.org/exfatfsck-heap-overflow-write-verify_vbr_checksum

https://crashes.fuzzing-project.org/exfatfsck-endless-loop

https://github.com/relan/exfat/commit/35a1f77f9be2d8b21731f758baba4334935bf18b

https://github.com/relan/exfat/releases/tag/v1.2.1

http://seclists.org/oss-sec/2015/q4/152

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

exfatfsck / exfat-utils Heap overflow and endless loop

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.