Linux Kernel HFS+ Slab-Out-Of-Bounds Read Vulnerability in Unicode Conversion Function

A slab-out-of-bounds read vulnerability has been identified in the Linux kernel's HFS+ file system implementation, specifically within the unicode conversion function 'hfsplus_uni2asc'. This vulnerability affects Linux kernel versions prior to 6.16.4. The issue arises when 'hfsplus_uni2asc' is called with a 'struct hfsplus_attr_unistr' that exceeds the allocated memory, leading to a read of size 2 from an out-of-bounds address. The vulnerability was discovered during a fuzzing process, where the 'hfsplus_listxattr' function inadvertently passed an incorrectly sized unicode structure to 'hfsplus_uni2asc', causing the function to read beyond its memory limits.

Impact

Exploitation of this vulnerability leads to a slab-out-of-bounds read, which can potentially be exploited to read sensitive information from memory or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by invoking the 'hfsplus_listxattr' function on a file system object that has an extended attribute key name structured as 'hfsplus_attr_unistr'. This will trigger the 'hfsplus_uni2asc' function with a unicode buffer that exceeds the allocated memory, causing a slab-out-of-bounds read.

Remediation

Users can upgrade to Linux kernel version 6.16.4 or later, where this vulnerability has been fixed.