https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=250223
Bug ID: 250223
Summary: FS-19-EXT3-4: Out of bounds read in mknodat-1
(fifo_close)
Product: Base System
Version: 12.1-STABLE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
Reported by: Christopher Krah of Fraunhofer FKIE
*Description of the vulnerability*: Mounting a specially crafted ext3 (and
potentially any ext fs) may lead to an out-of-bounds read. The file system of
[1] yields a page fault (supervisor read data).
This happens in line 276 in /usr/src/sys/fs/fifofs/fifo_vnops.c:
/*
* Device close routine
*/
/* ARGSUSED */
static int
fifo_close(ap)
struct vop_close_args /* {
struct vnode *a_vp;
int a_fflag;
struct ucred *a_cred;
struct thread *a_td;
} */ *ap;
{
struct vnode *vp;
struct fifoinfo *fip;
struct pipe *cpipe;
vp = ap->a_vp;
fip = vp->v_fifoinfo; # crash occurs here
[...]
In this snippet when setting the value of fip by accessing the v_fifoinfo field
fip is set to zero.
(kgdb) p *vp
$1 = {[...], {v_mountedhere = 0x0, v_unpcb = 0x0, v_rdev = 0x0, v_fifoinfo =
0x0} [...] }
The corresponding assembly instruction is:
0xffffffff80a36b36 <fifo_close+22>: mov r14,QWORD PTR [r12]
And confirms the above. At the time of the crash r12 = 0x0 and hence accessing
the value at memory address 0x0 is causing the kernel DoS.
That said, If an attacker would have access to r12 this may lead to an
information leak.
*Affected versions*: tested with FreeBSD 12.0-RELEASE AMD64.
*Workaround*: Do not load ext2fs
---
fsu reports Cannot be reproduced on CURRENT r349333, reproduced on 12 at
r341666
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
