lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <bug-199275-13602@https.bugzilla.kernel.org/>
Date:   Tue, 03 Apr 2018 16:43:43 +0000
From:   bugzilla-daemon@...zilla.kernel.org
To:     linux-ext4@...nel.org
Subject: [Bug 199275] New: Invalid pointer dereference in
 ext4_get_group_info() when mounting a crafted ext4 image

https://bugzilla.kernel.org/show_bug.cgi?id=199275

            Bug ID: 199275
           Summary: Invalid pointer dereference in ext4_get_group_info()
                    when mounting a crafted ext4 image
           Product: File System
           Version: 2.5
    Kernel Version: 4.x
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ext4
          Assignee: fs_ext4@...nel-bugs.osdl.org
          Reporter: wen.xu@...ech.edu
        Regression: No

Created attachment 275091
  --> https://bugzilla.kernel.org/attachment.cgi?id=275091&action=edit
The crafted image which causes kernel panic

- Overview
Invalid pointer dereference in ext4_get_group_info() when mounting a crafted
ext4 image

- Reproduce (tested on 4.4/4.15)
# mkdir mnt
# mount -t ext4 88.img mnt

- Reason
https://elixir.bootlin.com/linux/v4.15/source/fs/ext4/ext4.h#L2766
Kernel misses sanitary check on EXT4_SB(sb)->s_group_info in
ext4_get_group_info

- Kernel dump 
[   48.581147] EXT4-fs (loop0): barriers disabled
[   48.581223] JBD2: Clearing recovery information on journal
[   48.584375] EXT4-fs (loop0): corrupt root inode, run e2fsck
[   48.584455] BUG: unable to handle kernel NULL pointer dereference at        
  (null)
[   48.584485] IP: [<ffffffff812de12d>] ext4_free_blocks+0x1ed/0xc00
[   48.584513] PGD 80000000392b0067 PUD 39281067 PMD 0
[   48.584534] Oops: 0000 [#1] SMP
[   48.584549] Modules linked in: vmw_vsock_vmci_transport vsock ppdev
vmw_balloon coretemp joydev input_leds serio_raw uvcvideo snd_ens1371
videobuf2_vmalloc snd_ac97_codec videobuf2_memops videobuf2_v4l2 gameport
videobuf2_core snd_rawmidi v4l2_common snd_seq_device ac97_bus btusb btrtl
videodev snd_pcm btbcm btintel bluetooth snd_timer media snd soundcore vmw_vmci
i2c_piix4 shpchp nfit 8250_fintek parport_pc parport mac_hid ib_iser rdma_cm
iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi
scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov
async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0
multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper
[   48.584896]  cryptd vmwgfx ttm psmouse drm_kms_helper syscopyarea
sysfillrect sysimgblt fb_sys_fops mptspi mptscsih ahci libahci e1000 drm
mptbase scsi_transport_spi pata_acpi fjes
[   48.584974] CPU: 0 PID: 1387 Comm: mount Not tainted 4.4.0-116-generic
#140-Ubuntu
[   48.584999] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 07/02/2015
[   48.585033] task: ffff880037b3aa00 ti: ffff8800393d4000 task.ti:
ffff8800393d4000
[   48.585058] RIP: 0010:[<ffffffff812de12d>]  [<ffffffff812de12d>]
ext4_free_blocks+0x1ed/0xc00
[   48.585089] RSP: 0018:ffff8800393d7988  EFLAGS: 00010246
[   48.585107] RAX: ffff88003786f800 RBX: 0000000000000001 RCX:
0000000000000000
[   48.585129] RDX: 0000000000000020 RSI: 0000000000000000 RDI:
0000000000000000
[   48.585152] RBP: ffff8800393d7a60 R08: ffff8800393d79ec R09:
ffff8800393d79e8
[   48.585198] R10: ffff8800393d7880 R11: ffff8800395d7988 R12:
0000000000000001
[   48.585219] R13: ffff88003786f000 R14: 0000000000000001 R15:
000000000000002c
[   48.585240] FS:  00007f228f21b840(0000) GS:ffff88003c600000(0000)
knlGS:0000000000000000
[   48.585264] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   48.585281] CR2: 0000000000000000 CR3: 0000000033684000 CR4:
0000000000160670
[   48.585337] Stack:
[   48.585345]  000000000000002c ffff8800395a74e0 ffff8800395a7548
ffffffff81f3c9c0
[   48.585372]  ffff8800395a72d8 ffff8800395a7340 ffff88003af29000
ffff88003786f000
[   48.585398]  0000000000000001 00000013812cc1d0 ffff88003786f800
ffff8800395d7a58
[   48.585425] Call Trace:
[   48.586053]  [<ffffffff8124bddd>] ? __find_get_block+0x10d/0x120
[   48.586737]  [<ffffffff812d0708>] ext4_ext_remove_space+0xa68/0x11f0
[   48.587402]  [<ffffffff812d2dfe>] ext4_ext_truncate+0x9e/0xd0
[   48.588029]  [<ffffffff812a5a04>] ext4_truncate+0x364/0x460
[   48.588624]  [<ffffffff812a6697>] ext4_evict_inode+0x3f7/0x4f0
[   48.589215]  [<ffffffff8122f9f1>] evict+0xc1/0x190
[   48.589780]  [<ffffffff8122fcd7>] iput+0x1c7/0x250
[   48.590504]  [<ffffffff812c69ff>] ext4_fill_super+0x1ecf/0x3020
[   48.591058]  [<ffffffff81217410>] mount_bdev+0x270/0x2c0
[   48.591601]  [<ffffffff812c4b30>] ? ext4_calculate_overhead+0x3c0/0x3c0
[   48.592091]  [<ffffffff812b5595>] ext4_mount+0x15/0x20
[   48.592581]  [<ffffffff81217e4d>] mount_fs+0x3d/0x170
[   48.593060]  [<ffffffff811b7575>] ? __alloc_percpu+0x15/0x20
[   48.593509]  [<ffffffff81234647>] vfs_kern_mount+0x67/0x110
[   48.593959]  [<ffffffff81236cff>] do_mount+0x25f/0xda0
[   48.594460]  [<ffffffff81215c33>] ? __fput+0x193/0x230
[   48.594904]  [<ffffffff811f5bd6>] ? __kmalloc_track_caller+0x1b6/0x250
[   48.595302]  [<ffffffff811b1d32>] ? memdup_user+0x42/0x70
[   48.595687]  [<ffffffff81237b7f>] SyS_mount+0x9f/0x100
[   48.596065]  [<ffffffff8184efc8>] entry_SYSCALL_64_fastpath+0x1c/0xbb
[   48.596435] Code: ff 49 8b 85 58 04 00 00 8b 75 8c 3b 70 40 0f 83 35 08 00
00 8b 88 a8 00 00 00 89 f2 48 8b b8 78 02 00 00 d3 ea 89 d1 48 8b 50 38 <48> 8b
0c cf 48 83 ea 01 21 f2 48 8b 14 d1 48 8b 12 83 e2 04 0f
[   48.597819] RIP  [<ffffffff812de12d>] ext4_free_blocks+0x1ed/0xc00
[   48.598225]  RSP <ffff8800393d7988>
[   48.598598] CR2: 0000000000000000
[   48.598996] ---[ end trace 6f4a81a91bc49fd0 ]---

- Credit
Reported by Wen Xu from SSLab, Gatech

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ