Date: Sat, 14 May 2022 13:30:38 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 263971] malicious superblock can cause buffer overflow during tasting Message-ID: <bug-263971-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263971 Bug ID: 263971 Summary: malicious superblock can cause buffer overflow during tasting Product: Base System Version: Unspecified Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 233909 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D233909&action= =3Dedit disk image with malicious superblock fields that cause buffer overflow duri= ng tasting ffs_sbget() allocates some memory into which it reads file system information, using fields from the superblock to choose a size: size =3D fs->fs_cssize; if (fs->fs_contigsumsize > 0) size +=3D fs->fs_ncg * sizeof(int32_t); size +=3D fs->fs_ncg * sizeof(u_int8_t); ...; if ((space =3D UFS_MALLOC(size, filltype, M_WAITOK)) =3D=3D NULL) { An attacker can choose values that cause size to be too small, causing subsequent code to write beyond the end of space. The attached disk image has a superblock with fs_cssize -1434999068 fs_contigsumsize 2147483647 fs_ncg 287173615 The calculated size is 869007. Later on: if (fs->fs_contigsumsize > 0) { fs->fs_maxcluster =3D lp =3D (int32_t *)space; for (i =3D 0; i < fs->fs_ncg; i++) *lp++ =3D fs->fs_contigsumsize; Since fs_ncg > size, this loop writes the attacker-chosen fs_contigsumsize beyond the allocated space. What I see when the attached disk image is tasted: # uname -a FreeBSD 14.0-CURRENT FreeBSD 14.0-CURRENT #267 main-n250920-74195f0a7a6c-dirty: Sat May 14 09:04:48 EDT 2022=20=20=20=20 rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv # mdconfig -f taste7a.img panic: vm_fault_lookup: fault on nofault entry, addr: 0xffffffc07cb67000 cpuid =3D 0 time =3D 1652523702 KDB: stack backtrace: db_trace_self() at db_trace_self db_trace_self_wrapper() at db_trace_self_wrapper+0x38 kdb_backtrace() at kdb_backtrace+0x2c vpanic() at vpanic+0x16e panic() at panic+0x2a vm_fault_lookup() at vm_fault_lookup+0x1bc vm_fault() at vm_fault+0x9e vm_fault_trap() at vm_fault_trap+0x68 page_fault_handler() at page_fault_handler+0x13c do_trap_supervisor() at do_trap_supervisor+0x76 cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70 --- exception 15, tval =3D 0xffffffc07cb67000 ffs_sbget() at ffs_sbget+0x2b0 g_label_ufs_taste_common() at g_label_ufs_taste_common+0x6c g_label_ufs_id_taste() at g_label_ufs_id_taste+0xe g_label_taste() at g_label_taste+0x198 g_new_provider_event() at g_new_provider_event+0xb8 one_event() at one_event+0x106 g_run_events() at g_run_events+0x8a g_event_procbody() at g_event_procbody+0x56 fork_exit() at fork_exit+0x80 fork_trampoline() at fork_trampoline+0xa KDB: enter: panic [ thread pid 13 tid 100017 ] Stopped at breakpoint+0xa: c.ldsp s0,0(sp) db> --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-263971-227>