Hacker News Re-Imagined

CVE-2021-33909: size_t-to-int vulnerability in Linux's filesystem layer

2 hours ago

Created a post 57 points @jwilk

CVE-2021-33909: size_t-to-int vulnerability in Linux's filesystem layer

@cesarb 18 minutes

Replying to @jwilk 🎙

This kind of issue is the reason why some more modern languages like Rust or Go do not have implicit narrowing conversions. For instance, on Rust, trying to simply pass an usize (Rust's equivalent of size_t) to a function which expects an i32 (Rust's equivalent of int) will not compile; the programmer has to write "size as i32" (Rust's equivalent of "(int) size"), which makes it explicit that it might truncate the value at that point.

(Some Rust developers argue that even "size as i32" should be avoided, and "size.try_into()" should be used instead, since it forces the programmer to treat an overflow explicitly at runtime, instead of silently wrapping.)

Reply


@mnw21cam 17 minutes

Replying to @jwilk 🎙

I love the little nugget in the mitigations section. You can plug the hole for a normal filesystem, but then FUSE filesystems have an additional problem: "if an attacker FUSE-mounts a long directory (longer than 8MB), then systemd exhausts its stack, crashes, and therefore crashes the entire operating system (a kernel panic)."

If there's one place other than the kernel where truly defensive programming should be applied, it is systemd.

Reply


@Zababa 34 minutes

Replying to @jwilk 🎙

> Unfortunately, this size_t is also passed to functions whose size argument is an int (a signed 32-bit integer), not a size_t.

Is this the type of things that could be caught by a linter or strict compilation rules? This seems to be to be a failure of the type system.

Reply


@kvathupo 27 minutes

Replying to @jwilk 🎙

Cached mirror - https://webcache.googleusercontent.com/search?q=cache:LwH96X...

I'm clueless about security: where does this fall on the scale of non-issue to critical? It strikes me as tending towards the latter, given that it enables unprivileged users to become root. Any insight into past Linux Kernel vulnerabilities that were severe?

Reply


@Deukhoofd 22 minutes

Replying to @jwilk 🎙

I see in the mail that Red Hat sent out patches to resolve this. Are those patches already merged, or is this a CVE about a live exploit?

Reply


About Us

site design / logo © 2021 Box Piper