Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <f4df42b35dd9a6c8c6851eba66b2b3f1.squirrel@webmail-etu.univ-nantes.fr>
Date: Tue, 29 Mar 2016 19:24:25 +0200 (CEST)
From: "Hugues ANGUELKOV" <hugues.anguelkov@....univ-nantes.fr>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE Request - Linux kernel (multiple versions) ext2/ext3 
     filesystem DoS

Hello,

The linux kernel is prone to a Denial of service when mounting specially
crafted ext2/ext3 (possibly ext4) filesystems. This occurs in the function
ext4_handle_error who call the panic function on precise circumstance.
This was tested on severals linux kernel version: 3.10, 3.18, 3.19, on
real hardware and Xen DomU PV & HVM (the crash report attached is from a
Fedora 3.18 PV DomU), from different distribution release: Ubuntu, CentOS,
Fedora, Linux Mint, QubesOS.
This a low security impact bug, because generally only root can mount
image, however on Desktop (or possibly server?) system configured with
automount the bug is easily triggable (think of android smartphone?Haven't
test yet).
The crafted image may be burn onto SD card or USB key to crash a large
panel of linux box.


[ 929.200197] EXT4-fs error (device loop0): ext4_iget:4058: inode #2: comm
mount: bad extended attribute block 8390656
[ 929.200226] Kernel panic - not syncing: EXT4-fs (device loop0): panic
forced after error
[ 929.200226]
[ 929.200230] CPU: 1 PID: 980 Comm: mount Tainted: G O
3.18.17-8.pvops.qubes.x86_64 #1
[ 929.200233] 0000000000000000 000000007533690c ffff88000ea07aa8
ffffffff81722191
[ 929.200237] 0000000000000000 ffffffff81a84108 ffff88000ea07b28
ffffffff8171a462
[ 929.200240] ffff880000000010 ffff88000ea07b38 ffff88000ea07ad8
000000007533690c
[ 929.200244] Call Trace:
[ 929.200249] [<ffffffff81722191>] dump_stack+0x46/0x58
[ 929.200253] [<ffffffff8171a462>] panic+0xd0/0x204
[ 929.200257] [<ffffffff812ae4d6>] ext4_handle_error.part.188+0x96/0xa0
[ 929.200260] [<ffffffff812ae838>] __ext4_error_inode+0xa8/0x180
[ 929.200264] [<ffffffff81292869>] ext4_iget+0x929/0xae0
[ 929.200267] [<ffffffff812b31fb>] ext4_fill_super+0x18db/0x2b60
[ 929.200270] [<ffffffff8120af20>] mount_bdev+0x1b0/0x1f0
[ 929.200273] [<ffffffff812b1920>] ? ext4_calculate_overhead+0x3d0/0x3d0
[ 929.200276] [<ffffffff812a3425>] ext4_mount+0x15/0x20
[ 929.200278] [<ffffffff8120b879>] mount_fs+0x39/0x1b0
[ 929.200282] [<ffffffff811afd95>] ? __alloc_percpu+0x15/0x20
[ 929.200285] [<ffffffff8122754b>] vfs_kern_mount+0x6b/0x110
[ 929.200287] [<ffffffff8122a38c>] do_mount+0x22c/0xb60
[ 929.200290] [<ffffffff811aab96>] ? memdup_user+0x46/0x80
[ 929.200292] [<ffffffff8122b002>] SyS_mount+0xa2/0x110
[ 929.200295] [<ffffffff8172a609>] system_call_fastpath+0x12/0x17
[ 929.200301] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation
range: 0xffffffff80000000-0xffffffff9fffffff)c

I cannot attach the PoC (2x2MB too large) nor sending it in plain text
(they are filesystems), so I've uploaded it on this website of free file
sharing ... (sorry for the inconvenient):
poc.ext2 https://1fichier.com/?zbk2gohk8s
poc.ext3 https://1fichier.com/?9r0c8agjfa

Can you assign a CVE for this?
Thank for reading and your time.

Hugues ANGUELKOV.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.