[Bug 250222] Multiple ways for a kernel DoS (ufs_lookup_ino)

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=250222

            Bug ID: 250222
           Summary: Multiple ways for a kernel DoS (ufs_lookup_ino)
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: emaste at freebsd.org

Reported by: Christopher Krah of Fraunhofer FKIE
Reporter's ID: FS-15-UFS-4

*Description of the vulnerability*: Mounting a specially crafted UFS filesystem
may lead to a kernel Denial of Service that was already anticipated in the
code.
This is due to the following code in function ufs_dirbad in line 762 in
/usr/src/sys/ufs/ufs/ufs_lookup.c:


{
struct mount *mp;

mp = ITOV(ip)->v_mount;
if ((mp->mnt_flag & MNT_RDONLY) == 0)
    panic("ufs_dirbad: %s: bad dir ino %ju at offset %ld: %s",
mp->mnt_stat.f_mntonname, (uintmax_t)ip->i_number, (long)offset, how);
else
    (void)printf("%s: bad dir ino %ju at offset %ld: %s\n",
mp->mnt_stat.f_mntonname, (uintmax_t)ip->i_number, (long)offset, how);
}


So far we were able to trigger this panic via 5 different system calls and
hence different/multiple unique back traces as of time of writing this email:

* sys_mkdir
* sys_openat
* sys_fsstatat
* sys_access
* sys_mknodat

This shows that the UFS fs is especially vulnerable to this type of kernel DoS.
If additional different ways to trigger this behavior appear they will be added
to the same shared folder referenced here at [1].


*Affected versions*: tested with FreeBSD 12.0-RELEASE AMD64. 

*Workaround*: None

---
FS image to be attached.

-- 
You are receiving this mail because:
You are the assignee for the bug.