Date: Fri, 09 Oct 2020 13:25:14 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 250220] ext2: Denial Of Service in mknodat-0 Message-ID: <bug-250220-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=250220 Bug ID: 250220 Summary: ext2: Denial Of Service in mknodat-0 Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: emaste@freebsd.org Reported by: Christopher Krah of Fraunhofer FKIE *Description of vulnerability*: The syscall sys_mknodat is vulnerable to a Kernel Denial of Service when a specially crafted EXT2 filesystem is loaded. It seems that this behavior was already anticipated as of right now in function ext2_search_dirblockin /usr/src/sys/fs/ext2fs/ext2_lookup.c in line 727: if(ep->e2d_reclen == 0 || (dirchk && ext2_dirbadentry(vdp, ep, offset)) { int i; ext2_dirbad(ip, *offp, "mangled entry"); The panic is finally thrown in the same file in line 807 after another if condition in a function called ext2_dirbad: if ((mp->mnt_flag & MNT_RDONLY) == 0) panic("ext2_dirbad: %s: bad dir ino%ju at offset %ld: %s\n", mp->mnt_stat.f_mntonname, (uintmax_t)ip->i_number, (long)offset, how); Our corrupted file system pokes exactly 1 of the 2 occurrences of the function call to ext2_dirbad (made in /usr/src/sys/fs/ext2fs/ext2_lookup.c) , with the other being in line 535: ext2_dirbad(dp, i_offset, "i_size too small") *Affected versions*: Tested on FreeBSD 12.0 Release AMD64 *Workaround*: Do not load ext2fs -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-250220-227>