F2FS Hit By Three Security Vulnerabilities: Memory Corruption, Possible Code Execution
Btrfs isn't the only Linux file-system taking some heat but the Flash-Friendly File-System (F2FS) is now having a tough week with three CVEs going public.
Three CVEs were disclosed this morning that affect both Linux and Android, with Google's OS having already seen F2FS support. Discovered by Trend Micro researchers are vulnerabilities in F2FS' system structure passing. By mounting a malicious disk or local file image, memory corruption could happen that can yield out-of-boundary writes and in turn open the kernel up to arbitrary code execution.
CVE-2017-10663 is over a missing buffer boundary check, CVE-2017-10662 is regards to a possible integer overflow, and the third issue CVE-2017-0750 is another missing boundary check. The third issue though has been fixed in Linux 4.4.73, albeit many Android devices are running on kernels predating that LTS update.
More details on these newly-discovered F2FS file-system problems via Trend Micro's blog.
Three CVEs were disclosed this morning that affect both Linux and Android, with Google's OS having already seen F2FS support. Discovered by Trend Micro researchers are vulnerabilities in F2FS' system structure passing. By mounting a malicious disk or local file image, memory corruption could happen that can yield out-of-boundary writes and in turn open the kernel up to arbitrary code execution.
CVE-2017-10663 is over a missing buffer boundary check, CVE-2017-10662 is regards to a possible integer overflow, and the third issue CVE-2017-0750 is another missing boundary check. The third issue though has been fixed in Linux 4.4.73, albeit many Android devices are running on kernels predating that LTS update.
More details on these newly-discovered F2FS file-system problems via Trend Micro's blog.
26 Comments