| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <bug-199183-13602-wQlsF2YpBh@https.bugzilla.kernel.org/>
Date: Sun, 25 Mar 2018 17:23:18 +0000
From: bugzilla-daemon@...zilla.kernel.org
To: linux-ext4@...nel.org
Subject: [Bug 199183] Invalid pointer dereference in ext4_xattr_inode_hash
when mounting and later operating on a crafted image
https://bugzilla.kernel.org/show_bug.cgi?id=199183
--- Comment #3 from Wen Xu (wen.xu@...ech.edu) ---
Sorry, it was my mistake.
After debugging the kernel again, I found that it crashes here:
https://elixir.bootlin.com/linux/v4.15/source/fs/ext4/ext4.h#L2005
static inline u32 ext4_chksum(struct ext4_sb_info *sbi, u32 crc,
const void *address, unsigned int length)
{
struct {
struct shash_desc shash;
char ctx[4];
} desc;
int err;
BUG_ON(crypto_shash_descsize(sbi->s_chksum_driver)!=sizeof(desc.ctx));
<-
sbi->s_chksum_driver may not always be set up and can be NULL, while
static inline unsigned int crypto_shash_descsize(struct crypto_shash *tfm)
{
return tfm->descsize;
}
the function crypto_shash_descsize() directly dereferences the pointer.
By the way, I reproduce it on Linux 4.15.0-12-generic used by latest Ubuntu
18.04.
--
You are receiving this mail because:
You are watching the assignee of the bug.
Powered by blists - more mailing lists