Date: Fri, 09 Oct 2020 13:25:14 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 250220] ext2: Denial Of Service in mknodat-0 Message-ID: <bug-250220-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D250220 Bug ID: 250220 Summary: ext2: Denial Of Service in mknodat-0 Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: emaste@freebsd.org Reported by: Christopher Krah of Fraunhofer FKIE *Description of vulnerability*: The syscall sys_mknodat is vulnerable to a Kernel Denial of Service when a specially crafted EXT2 filesystem is loaded= . It seems that this behavior was already anticipated as of right now in function ext2_search_dirblockin /usr/src/sys/fs/ext2fs/ext2_lookup.c in line 727: if(ep->e2d_reclen =3D=3D 0 ||=20 (dirchk && ext2_dirbadentry(vdp, ep, offset)) { int i; ext2_dirbad(ip, *offp, "mangled entry"); The panic is finally thrown in the same file in line 807 after another if condition in a function called ext2_dirbad: if ((mp->mnt_flag & MNT_RDONLY) =3D=3D 0) panic("ext2_dirbad: %s: bad dir ino%ju at offset %ld: %s\n", mp->mnt_stat.f_mntonname, (uintmax_t)ip->i_number, (long)offset, how); Our corrupted file system pokes exactly 1 of the 2 occurrences of the funct= ion call to ext2_dirbad (made in /usr/src/sys/fs/ext2fs/ext2_lookup.c) , with t= he other being in line 535: ext2_dirbad(dp, i_offset, "i_size too small") *Affected versions*: Tested on FreeBSD 12.0 Release AMD64 *Workaround*: Do not load ext2fs --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-250220-227>