Headline
CVE-2023-33551: erofs-utils heap-based overflow when extract a file system image via fsck.erofs · Issue #2 · lometsj/blog_repo
Heap Buffer Overflow in the erofsfsck_dirent_iter function in fsck/main.c in erofs-utils v1.6 allows remote attackers to execute arbitrary code via a crafted erofs filesystem image.
project
https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git
env
tested on fedora 37
version
erofs-utils v1.6
reproduce
➜ erofs-utils ./fsck/fsck.erofs --extract=/tmp/test_out ./output_fsck2/default:id:000015,sig:06,src:000042,time:27700764,execs:109211703,op:havoc,rep:8
free(): invalid pointer
[1] 469358 IOT instruction (core dumped) ./fsck/fsck.erofs --extract=/tmp/test_out
➜ erofs-utils ./fsck/fsck.erofs -V
fsck.erofs 1.6
➜ erofs-utils
bug analysis
in fsck/main.c: erofsfsck_parse_options_cfg()
var fsckcfg.exract_path is alloc by PATH_MAX which value is 4096
fsckcfg.extract_path = malloc(PATH_MAX);
when the directory is too deep and the path name is concatenated to exceed 4096,it will lead heap overflow when strncpy try to concatenate string of path.
static int erofsfsck_dirent_iter(struct erofs_dir_context *ctx) { int ret; size_t prev_pos = fsckcfg.extract_pos;
if (ctx->dot\_dotdot)
return 0;
if (fsckcfg.extract\_path) {
size\_t curr\_pos = prev\_pos;
fsckcfg.extract\_path\[curr\_pos++\] = '/';
strncpy(fsckcfg.extract\_path + curr\_pos, ctx->dname, // over flow at here
ctx->de\_namelen);
curr\_pos += ctx->de\_namelen;
fsckcfg.extract\_path\[curr\_pos\] = '\\0';
fsckcfg.extract\_pos = curr\_pos;
}
ret = erofsfsck\_check\_inode(ctx->dir\->nid, ctx->de\_nid);
if (fsckcfg.extract\_path) {
fsckcfg.extract\_path\[prev\_pos\] = '\\0';
fsckcfg.extract\_pos = prev\_pos;
}
return ret;
default_id_000015,sig_06,src_000042,time_27700764,execs_109211703,op_havoc,rep_8.zip