| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 03 Apr 2018 16:43:43 +0000
From: bugzilla-daemon@...zilla.kernel.org
To: linux-ext4@...nel.org
Subject: [Bug 199275] New: Invalid pointer dereference in
ext4_get_group_info() when mounting a crafted ext4 image
https://bugzilla.kernel.org/show_bug.cgi?id=199275
Bug ID: 199275
Summary: Invalid pointer dereference in ext4_get_group_info()
when mounting a crafted ext4 image
Product: File System
Version: 2.5
Kernel Version: 4.x
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: ext4
Assignee: fs_ext4@...nel-bugs.osdl.org
Reporter: wen.xu@...ech.edu
Regression: No
Created attachment 275091
--> https://bugzilla.kernel.org/attachment.cgi?id=275091&action=edit
The crafted image which causes kernel panic
- Overview
Invalid pointer dereference in ext4_get_group_info() when mounting a crafted
ext4 image
- Reproduce (tested on 4.4/4.15)
# mkdir mnt
# mount -t ext4 88.img mnt
- Reason
https://elixir.bootlin.com/linux/v4.15/source/fs/ext4/ext4.h#L2766
Kernel misses sanitary check on EXT4_SB(sb)->s_group_info in
ext4_get_group_info
- Kernel dump
[ 48.581147] EXT4-fs (loop0): barriers disabled
[ 48.581223] JBD2: Clearing recovery information on journal
[ 48.584375] EXT4-fs (loop0): corrupt root inode, run e2fsck
[ 48.584455] BUG: unable to handle kernel NULL pointer dereference at
(null)
[ 48.584485] IP: [<ffffffff812de12d>] ext4_free_blocks+0x1ed/0xc00
[ 48.584513] PGD 80000000392b0067 PUD 39281067 PMD 0
[ 48.584534] Oops: 0000 [#1] SMP
[ 48.584549] Modules linked in: vmw_vsock_vmci_transport vsock ppdev
vmw_balloon coretemp joydev input_leds serio_raw uvcvideo snd_ens1371
videobuf2_vmalloc snd_ac97_codec videobuf2_memops videobuf2_v4l2 gameport
videobuf2_core snd_rawmidi v4l2_common snd_seq_device ac97_bus btusb btrtl
videodev snd_pcm btbcm btintel bluetooth snd_timer media snd soundcore vmw_vmci
i2c_piix4 shpchp nfit 8250_fintek parport_pc parport mac_hid ib_iser rdma_cm
iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi
scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov
async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0
multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper
[ 48.584896] cryptd vmwgfx ttm psmouse drm_kms_helper syscopyarea
sysfillrect sysimgblt fb_sys_fops mptspi mptscsih ahci libahci e1000 drm
mptbase scsi_transport_spi pata_acpi fjes
[ 48.584974] CPU: 0 PID: 1387 Comm: mount Not tainted 4.4.0-116-generic
#140-Ubuntu
[ 48.584999] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 07/02/2015
[ 48.585033] task: ffff880037b3aa00 ti: ffff8800393d4000 task.ti:
ffff8800393d4000
[ 48.585058] RIP: 0010:[<ffffffff812de12d>] [<ffffffff812de12d>]
ext4_free_blocks+0x1ed/0xc00
[ 48.585089] RSP: 0018:ffff8800393d7988 EFLAGS: 00010246
[ 48.585107] RAX: ffff88003786f800 RBX: 0000000000000001 RCX:
0000000000000000
[ 48.585129] RDX: 0000000000000020 RSI: 0000000000000000 RDI:
0000000000000000
[ 48.585152] RBP: ffff8800393d7a60 R08: ffff8800393d79ec R09:
ffff8800393d79e8
[ 48.585198] R10: ffff8800393d7880 R11: ffff8800395d7988 R12:
0000000000000001
[ 48.585219] R13: ffff88003786f000 R14: 0000000000000001 R15:
000000000000002c
[ 48.585240] FS: 00007f228f21b840(0000) GS:ffff88003c600000(0000)
knlGS:0000000000000000
[ 48.585264] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 48.585281] CR2: 0000000000000000 CR3: 0000000033684000 CR4:
0000000000160670
[ 48.585337] Stack:
[ 48.585345] 000000000000002c ffff8800395a74e0 ffff8800395a7548
ffffffff81f3c9c0
[ 48.585372] ffff8800395a72d8 ffff8800395a7340 ffff88003af29000
ffff88003786f000
[ 48.585398] 0000000000000001 00000013812cc1d0 ffff88003786f800
ffff8800395d7a58
[ 48.585425] Call Trace:
[ 48.586053] [<ffffffff8124bddd>] ? __find_get_block+0x10d/0x120
[ 48.586737] [<ffffffff812d0708>] ext4_ext_remove_space+0xa68/0x11f0
[ 48.587402] [<ffffffff812d2dfe>] ext4_ext_truncate+0x9e/0xd0
[ 48.588029] [<ffffffff812a5a04>] ext4_truncate+0x364/0x460
[ 48.588624] [<ffffffff812a6697>] ext4_evict_inode+0x3f7/0x4f0
[ 48.589215] [<ffffffff8122f9f1>] evict+0xc1/0x190
[ 48.589780] [<ffffffff8122fcd7>] iput+0x1c7/0x250
[ 48.590504] [<ffffffff812c69ff>] ext4_fill_super+0x1ecf/0x3020
[ 48.591058] [<ffffffff81217410>] mount_bdev+0x270/0x2c0
[ 48.591601] [<ffffffff812c4b30>] ? ext4_calculate_overhead+0x3c0/0x3c0
[ 48.592091] [<ffffffff812b5595>] ext4_mount+0x15/0x20
[ 48.592581] [<ffffffff81217e4d>] mount_fs+0x3d/0x170
[ 48.593060] [<ffffffff811b7575>] ? __alloc_percpu+0x15/0x20
[ 48.593509] [<ffffffff81234647>] vfs_kern_mount+0x67/0x110
[ 48.593959] [<ffffffff81236cff>] do_mount+0x25f/0xda0
[ 48.594460] [<ffffffff81215c33>] ? __fput+0x193/0x230
[ 48.594904] [<ffffffff811f5bd6>] ? __kmalloc_track_caller+0x1b6/0x250
[ 48.595302] [<ffffffff811b1d32>] ? memdup_user+0x42/0x70
[ 48.595687] [<ffffffff81237b7f>] SyS_mount+0x9f/0x100
[ 48.596065] [<ffffffff8184efc8>] entry_SYSCALL_64_fastpath+0x1c/0xbb
[ 48.596435] Code: ff 49 8b 85 58 04 00 00 8b 75 8c 3b 70 40 0f 83 35 08 00
00 8b 88 a8 00 00 00 89 f2 48 8b b8 78 02 00 00 d3 ea 89 d1 48 8b 50 38 <48> 8b
0c cf 48 83 ea 01 21 f2 48 8b 14 d1 48 8b 12 83 e2 04 0f
[ 48.597819] RIP [<ffffffff812de12d>] ext4_free_blocks+0x1ed/0xc00
[ 48.598225] RSP <ffff8800393d7988>
[ 48.598598] CR2: 0000000000000000
[ 48.598996] ---[ end trace 6f4a81a91bc49fd0 ]---
- Credit
Reported by Wen Xu from SSLab, Gatech
--
You are receiving this mail because:
You are watching the assignee of the bug.
Powered by blists - more mailing lists