[Bug 250220] ext2: Denial Of Service in mknodat-0

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=250220

            Bug ID: 250220
           Summary: ext2: Denial Of Service in mknodat-0
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: emaste at freebsd.org

Reported by: Christopher Krah of Fraunhofer FKIE

*Description of vulnerability*: The syscall sys_mknodat is vulnerable to a
Kernel Denial of Service when a specially crafted EXT2 filesystem is loaded. It
seems that this behavior was already anticipated as of right now in function
ext2_search_dirblockin /usr/src/sys/fs/ext2fs/ext2_lookup.c in line 727:

if(ep->e2d_reclen == 0 || 
    (dirchk && ext2_dirbadentry(vdp, ep, offset)) {
        int i;
        ext2_dirbad(ip, *offp, "mangled entry");

The panic is finally thrown in the same file in line 807 after another if
condition in a  function called ext2_dirbad:

if ((mp->mnt_flag & MNT_RDONLY) == 0)
    panic("ext2_dirbad: %s: bad dir ino%ju at offset %ld: %s\n",
        mp->mnt_stat.f_mntonname, (uintmax_t)ip->i_number,
        (long)offset, how);

Our corrupted file system pokes exactly 1 of the 2 occurrences of the function
call to ext2_dirbad (made in /usr/src/sys/fs/ext2fs/ext2_lookup.c) , with the
other being in line 535:

ext2_dirbad(dp, i_offset, "i_size too small")

*Affected versions*: Tested on FreeBSD 12.0 Release AMD64

*Workaround*: Do not load ext2fs

-- 
You are receiving this mail because:
You are the assignee for the bug.