Linux Kernel HFS+ File System Slab-Out-Of-Bounds Read Vulnerability

A slab-out-of-bounds read vulnerability has been identified in the Linux kernel's HFS+ file system implementation. This issue arises in the 'hfsplus_uni2asc()' function, which is called by 'hfsplus_readdir()'. The vulnerability can lead to a crash by reading beyond allocated memory, potentially allowing for memory corruption. The problem occurs when the length of a 'hfsplus_unistr' structure exceeds 255 bytes, causing a read operation to access invalid memory. This vulnerability has been observed in Linux kernel version 6.16.0-rc3.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by creating a HFS+ file system with a Catalog File b-tree node that includes a Unicode string longer than 255 bytes. Once this file system is mounted, the 'hfsplus_readdir()' function can be called, which will trigger the 'hfsplus_uni2asc()' function. The 'hfsplus_uni2asc()' function will then attempt to read the oversized Unicode string, leading to a slab-out-of-bounds read error. This can be observed in the kernel log, where the KASAN (Kernel Address Sanitizer) reports the out-of-bounds read, including the memory address that was accessed.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been patched. Instructions for downloading the patched version are available on the official Linux kernel website.