Linux Kernel HFS Out-of-Bounds Read Vulnerability in Inode Writing Function

A vulnerability allowing an out-of-bounds read has been identified in the Linux kernel's HFS file system implementation. This issue arises in the 'hfs_write_inode' function, specifically within the 'bfind' module. The out-of-bounds read occurs when the length of a filename exceeds the maximum allowed limit, leading to the reading of memory outside the intended bounds. The vulnerability was reported by Syzbot and is present in Linux kernel versions through 6.1.0-rc6.

Impact

Exploitation of this vulnerability causes a slab-out-of-bounds read, which can potentially lead to information disclosure or memory corruption.

Reproduction

The vulnerability can be reproduced by creating an HFS file system inode with a filename length greater than the maximum allowed length of 31 characters. This can be done by manipulating the inode's category key name length before the 'hfs_write_inode' function is called, causing the function to read beyond the allocated memory for the filename.

Remediation

The vulnerability has been addressed by adding a check on the length of the filename in the 'hfs_write_inode' function before calling the 'hfs_brec_find' function. Users should upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.