CVE-2022-50747

Vulnerability

Description An out-of-bounds write vulnerability exists in the Linux kernel's HFS filesystem implementation, specifically in the hfs_asc2mac function (fs/hfs/trans.c:133). When converting a filename to the HFS format, the function does not properly check the destination buffer length (dstlen) against the maximum HFS filename length (HFS_NAMELEN=31). If the input string in->len exceeds this limit, the while loop continues writing past the allocated buffer, causing a slab-out-of-bounds write [1][2][3][4].

Exploitation

The vulnerability can be triggered by mounting a specially crafted HFS filesystem that contains a filename longer than the expected maximum. The kernel reports a slab-out-of-bounds error via KASAN during operations such as open(path), which calls hfs_lookup and subsequently hfs_cat_build_key and hfs_asc2mac. The attack requires local access to mount a malicious filesystem image but does not require additional authentication.

Impact

A successful out-of-bounds write allows an attacker to corrupt adjacent slab memory. Depending on the memory layout, this could lead to kernel crashes (denial of service) or potentially privilege escalation through controlled memory corruption.

Mitigation

The fix adds a bounds check on dstlen within the while loop to prevent writing past the end of the destination buffer. The patch has been applied to stable kernels starting from various versions [1][2][3][4]. Users should update their Linux kernel to a version containing this commit.