Date: Fri, 09 Oct 2020 13:35:57 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 250222] Multiple ways for a kernel DoS (ufs_lookup_ino) Message-ID: <bug-250222-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D250222 Bug ID: 250222 Summary: Multiple ways for a kernel DoS (ufs_lookup_ino) Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: emaste@freebsd.org Reported by: Christopher Krah of Fraunhofer FKIE Reporter's ID: FS-15-UFS-4 *Description of the vulnerability*: Mounting a specially crafted UFS filesy= stem may lead to a kernel Denial of Service that was already anticipated in the code. This is due to the following code in function ufs_dirbad in line 762 in /usr/src/sys/ufs/ufs/ufs_lookup.c: { struct mount *mp; mp =3D ITOV(ip)->v_mount; if ((mp->mnt_flag & MNT_RDONLY) =3D=3D 0) panic("ufs_dirbad: %s: bad dir ino %ju at offset %ld: %s", mp->mnt_stat.f_mntonname, (uintmax_t)ip->i_number, (long)offset, how); else (void)printf("%s: bad dir ino %ju at offset %ld: %s\n", mp->mnt_stat.f_mntonname, (uintmax_t)ip->i_number, (long)offset, how); } So far we were able to trigger this panic via 5 different system calls and hence different/multiple unique back traces as of time of writing this emai= l: * sys_mkdir * sys_openat * sys_fsstatat * sys_access * sys_mknodat This shows that the UFS fs is especially vulnerable to this type of kernel = DoS. If additional different ways to trigger this behavior appear they will be a= dded to the same shared folder referenced here at [1]. *Affected versions*: tested with FreeBSD 12.0-RELEASE AMD64.=20 *Workaround*: None --- FS image to be attached. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-250222-227>