|
Message-Id: <57514A3C-DBAD-4E5E-98EA-23E490629C02@dilger.ca>
Date: Tue, 29 Mar 2016 16:56:11 -0600
From: Andreas Dilger <adilger@...ger.ca>
To: Yves-Alexis Perez <corsac@...ian.org>
Cc: oss-security@...ts.openwall.com,
Theodore Tso <tytso@...gle.com>,
linux-ext4@...r.kernel.org
Subject: Re: CVE Request - Linux kernel (multiple versions) ext2/ext3 filesystem DoS
On Mar 29, 2016, at 3:14 PM, Yves-Alexis Perez <corsac@...ian.org> wrote:
>
> [dropping MITRE from CC since it's not about the CVE]
> [adding ext and Theodore to CC]
>
> On mar., 2016-03-29 at 19:24 +0200, Hugues ANGUELKOV wrote:
>> Hello,
>>
>> The linux kernel is prone to a Denial of service when mounting specially
>> crafted ext2/ext3 (possibly ext4) filesystems. This occurs in the function
>> ext4_handle_error who call the panic function on precise circumstance.
>
> Did you contact the upstream maintainers about this? I'm adding them just in
> case they're not already aware of that…
>
>> This was tested on severals linux kernel version: 3.10, 3.18, 3.19, on
>> real hardware and Xen DomU PV & HVM (the crash report attached is from a
>> Fedora 3.18 PV DomU), from different distribution release: Ubuntu, CentOS,
>> Fedora, Linux Mint, QubesOS.
>> This a low security impact bug, because generally only root can mount
>> image, however on Desktop (or possibly server?) system configured with
>> automount the bug is easily triggable (think of android smartphone? Haven't
>> test yet).
It seems that the important point here is that the filesystem has
"s_errors=EXT4_ERRORS_PANIC" set in the superblock? I don't think
the actual corruption that triggered the ext4_error() call is important,
since there are any number of other failure cases that could generate
a similar error.
It seems practical to change s_errors at mount time from EXT4_ERRORS_PANIC
to EXT4_ERRORS_RO for filesystems mounted by regular users. The question
is whether there is a way for the ext4 code to know this at mount time?
Cheers, Andreas
>> The crafted image may be burn onto SD card or USB key to crash a large
>> panel of linux box.
>>
>>
>> [ 929.200197] EXT4-fs error (device loop0): ext4_iget:4058: inode #2: comm
>> mount: bad extended attribute block 8390656
>> [ 929.200226] Kernel panic - not syncing: EXT4-fs (device loop0): panic
>> forced after error
>> [ 929.200226]
>> [ 929.200230] CPU: 1 PID: 980 Comm: mount Tainted: G O
>> 3.18.17-8.pvops.qubes.x86_64 #1
>> [ 929.200233] 0000000000000000 000000007533690c ffff88000ea07aa8
>> ffffffff81722191
>> [ 929.200237] 0000000000000000 ffffffff81a84108 ffff88000ea07b28
>> ffffffff8171a462
>> [ 929.200240] ffff880000000010 ffff88000ea07b38 ffff88000ea07ad8
>> 000000007533690c
>> [ 929.200244] Call Trace:
>> [ 929.200249] [<ffffffff81722191>] dump_stack+0x46/0x58
>> [ 929.200253] [<ffffffff8171a462>] panic+0xd0/0x204
>> [ 929.200257] [<ffffffff812ae4d6>] ext4_handle_error.part.188+0x96/0xa0
>> [ 929.200260] [<ffffffff812ae838>] __ext4_error_inode+0xa8/0x180
>> [ 929.200264] [<ffffffff81292869>] ext4_iget+0x929/0xae0
>> [ 929.200267] [<ffffffff812b31fb>] ext4_fill_super+0x18db/0x2b60
>> [ 929.200270] [<ffffffff8120af20>] mount_bdev+0x1b0/0x1f0
>> [ 929.200273] [<ffffffff812b1920>] ? ext4_calculate_overhead+0x3d0/0x3d0
>> [ 929.200276] [<ffffffff812a3425>] ext4_mount+0x15/0x20
>> [ 929.200278] [<ffffffff8120b879>] mount_fs+0x39/0x1b0
>> [ 929.200282] [<ffffffff811afd95>] ? __alloc_percpu+0x15/0x20
>> [ 929.200285] [<ffffffff8122754b>] vfs_kern_mount+0x6b/0x110
>> [ 929.200287] [<ffffffff8122a38c>] do_mount+0x22c/0xb60
>> [ 929.200290] [<ffffffff811aab96>] ? memdup_user+0x46/0x80
>> [ 929.200292] [<ffffffff8122b002>] SyS_mount+0xa2/0x110
>> [ 929.200295] [<ffffffff8172a609>] system_call_fastpath+0x12/0x17
>> [ 929.200301] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation
>> range: 0xffffffff80000000-0xffffffff9fffffff)c
>>
>> I cannot attach the PoC (2x2MB too large) nor sending it in plain text
>> (they are filesystems), so I've uploaded it on this website of free file
>> sharing ... (sorry for the inconvenient):
>> poc.ext2 https://1fichier.com/?zbk2gohk8s
>> poc.ext3 https://1fichier.com/?9r0c8agjfa
>>
>> Can you assign a CVE for this?
>> Thank for reading and your time.
>>
>> Hugues ANGUELKOV.
>>
>>
> --
> Yves-Alexis
>
Cheers, Andreas
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.