Home

Description

In the Linux kernel, the following vulnerability has been resolved: hfs: Fix OOB Write in hfs_asc2mac Syzbot reported a OOB Write bug: loop0: detected capacity change from 0 to 64 ================================================================== BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 Write of size 1 at addr ffff88801848314e by task syz-executor391/3632 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:284 print_report+0x107/0x1f0 mm/kasan/report.c:395 kasan_report+0xcd/0x100 mm/kasan/report.c:495 hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28 hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31 lookup_open fs/namei.c:3391 [inline] open_last_lookups fs/namei.c:3481 [inline] path_openat+0x10e6/0x2df0 fs/namei.c:3710 do_filp_open+0x264/0x4f0 fs/namei.c:3740 If in->len is much larger than HFS_NAMELEN(31) which is the maximum length of an HFS filename, a OOB write could occur in hfs_asc2mac(). In that case, when the dst reaches the boundary, the srclen is still greater than 0, which causes a OOB write. Fix this by adding a check on dstlen in while() before writing to dst address.

PUBLISHED Reserved 2025-12-24 | Published 2025-12-24 | Updated 2025-12-24 | Assigner Linux

Product status

Default status
unaffected

328b9227865026268261a24a97a578907b280415 (git) before 8399318b13dc9e0569dee07ba2994098926d4fb2
affected

328b9227865026268261a24a97a578907b280415 (git) before 95040de81c629cd8d3c6ab5b50a8bd5088068303
affected

328b9227865026268261a24a97a578907b280415 (git) before ba8f0ca386dd15acf5a93cbac932392c7818eab4
affected

328b9227865026268261a24a97a578907b280415 (git) before 6a95b17e4d4cd2d8278559f930b447f8c9c8cff9
affected

328b9227865026268261a24a97a578907b280415 (git) before cff9fefdfbf5744afbb6d70bff2b49ec2065d23d
affected

328b9227865026268261a24a97a578907b280415 (git) before 7af9cb8cbb81308ce4b06cc7164267faccbf75dd
affected

328b9227865026268261a24a97a578907b280415 (git) before ae21b03f904736eb2aa9bd119d2a14e741f1681f
affected

328b9227865026268261a24a97a578907b280415 (git) before 88579c158e026860c61c4192531e8bc42f4bc642
affected

328b9227865026268261a24a97a578907b280415 (git) before c53ed55cb275344086e32a7080a6b19cb183650b
affected

Default status
affected

2.6.14
affected

Any version before 2.6.14
unaffected

4.9.337 (semver)
unaffected

4.14.303 (semver)
unaffected

4.19.270 (semver)
unaffected

5.4.229 (semver)
unaffected

5.10.163 (semver)
unaffected

5.15.86 (semver)
unaffected

6.0.16 (semver)
unaffected

6.1.2 (semver)
unaffected

6.2 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/8399318b13dc9e0569dee07ba2994098926d4fb2

git.kernel.org/...c/95040de81c629cd8d3c6ab5b50a8bd5088068303

git.kernel.org/...c/ba8f0ca386dd15acf5a93cbac932392c7818eab4

git.kernel.org/...c/6a95b17e4d4cd2d8278559f930b447f8c9c8cff9

git.kernel.org/...c/cff9fefdfbf5744afbb6d70bff2b49ec2065d23d

git.kernel.org/...c/7af9cb8cbb81308ce4b06cc7164267faccbf75dd

git.kernel.org/...c/ae21b03f904736eb2aa9bd119d2a14e741f1681f

git.kernel.org/...c/88579c158e026860c61c4192531e8bc42f4bc642

git.kernel.org/...c/c53ed55cb275344086e32a7080a6b19cb183650b

cve.org (CVE-2022-50747)

nvd.nist.gov (CVE-2022-50747)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.