Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 09 Oct 2020 13:40:47 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 250223] FS-19-EXT3-4: Out of bounds read in mknodat-1 (fifo_close)
Message-ID:  <bug-250223-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=250223

            Bug ID: 250223
           Summary: FS-19-EXT3-4: Out of bounds read in mknodat-1
                    (fifo_close)
           Product: Base System
           Version: 12.1-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: emaste@freebsd.org

Reported by: Christopher Krah of Fraunhofer FKIE

*Description of the vulnerability*: Mounting a specially crafted ext3 (and
potentially any ext fs) may lead to an out-of-bounds read. The file system of
[1] yields a page fault (supervisor read data). 
This happens in line 276  in /usr/src/sys/fs/fifofs/fifo_vnops.c:

/*
* Device close routine
*/
/* ARGSUSED */
static int
fifo_close(ap)
struct vop_close_args /* {
struct vnode *a_vp;
int  a_fflag;
struct ucred *a_cred;
struct thread *a_td;
} */ *ap;
{
    struct vnode *vp;
    struct fifoinfo *fip;
    struct pipe *cpipe;
    vp = ap->a_vp;
    fip = vp->v_fifoinfo;    # crash occurs here
    [...]

In this snippet when setting the value of fip by accessing the v_fifoinfo field
fip is set to zero.
(kgdb) p *vp
$1 = {[...], {v_mountedhere = 0x0, v_unpcb = 0x0, v_rdev = 0x0, v_fifoinfo =
0x0} [...] }

The corresponding assembly instruction is:

0xffffffff80a36b36 <fifo_close+22>:     mov    r14,QWORD PTR [r12]

And confirms the above. At the time of the crash r12 = 0x0 and hence accessing
the value at memory address 0x0 is causing the kernel DoS.
That said, If an attacker would have access to r12 this may lead to an
information leak.


*Affected versions*: tested with FreeBSD 12.0-RELEASE AMD64. 

*Workaround*: Do not load ext2fs 

---

fsu reports Cannot be reproduced on CURRENT r349333, reproduced on 12 at
r341666

-- 
You are receiving this mail because:
You are the assignee for the bug.
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-250223-227>