[Bug 250223] FS-19-EXT3-4: Out of bounds read in mknodat-1 (fifo_close)
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Oct 9 13:40:48 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=250223
Bug ID: 250223
Summary: FS-19-EXT3-4: Out of bounds read in mknodat-1
(fifo_close)
Product: Base System
Version: 12.1-STABLE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: emaste at freebsd.org
Reported by: Christopher Krah of Fraunhofer FKIE
*Description of the vulnerability*: Mounting a specially crafted ext3 (and
potentially any ext fs) may lead to an out-of-bounds read. The file system of
[1] yields a page fault (supervisor read data).
This happens in line 276 in /usr/src/sys/fs/fifofs/fifo_vnops.c:
/*
* Device close routine
*/
/* ARGSUSED */
static int
fifo_close(ap)
struct vop_close_args /* {
struct vnode *a_vp;
int a_fflag;
struct ucred *a_cred;
struct thread *a_td;
} */ *ap;
{
struct vnode *vp;
struct fifoinfo *fip;
struct pipe *cpipe;
vp = ap->a_vp;
fip = vp->v_fifoinfo; # crash occurs here
[...]
In this snippet when setting the value of fip by accessing the v_fifoinfo field
fip is set to zero.
(kgdb) p *vp
$1 = {[...], {v_mountedhere = 0x0, v_unpcb = 0x0, v_rdev = 0x0, v_fifoinfo =
0x0} [...] }
The corresponding assembly instruction is:
0xffffffff80a36b36 <fifo_close+22>: mov r14,QWORD PTR [r12]
And confirms the above. At the time of the crash r12 = 0x0 and hence accessing
the value at memory address 0x0 is causing the kernel DoS.
That said, If an attacker would have access to r12 this may lead to an
information leak.
*Affected versions*: tested with FreeBSD 12.0-RELEASE AMD64.
*Workaround*: Do not load ext2fs
---
fsu reports Cannot be reproduced on CURRENT r349333, reproduced on 12 at
r341666
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list