CVE-2023-4273: a vulnerability in the Linux exFAT driver

According to the exFAT file system specification, the maximum length of a file name is 255 characters (UTF-16LE):

The FileName field shall contain a Unicode string, which is a portion of the file name. In the order File Name directory entries exist in a File directory entry set, FileName fields concatenate to form the file name for the File directory entry set. Given the length of the FileName field, 15 characters, and the maximum number of File Name directory entries, 17, the maximum length of the final, concatenated file name is 255.

This limit wasn’t really enforced in the exFAT driver of the Linux kernel, so it could be possible to craft a File directory entry set containing more than 17 File Name directory entries resulting in a concatenated file name much longer than 255 characters. And all of these characters were copied into a stack-allocated array of 258 characters.

So, here comes a stack overflow. But how to weaponize it?

Continue reading “CVE-2023-4273: a vulnerability in the Linux exFAT driver”