Bug 250222 - Multiple ways for a kernel DoS (ufs_lookup_ino) [FS-15-UFS-4]
Summary: Multiple ways for a kernel DoS (ufs_lookup_ino) [FS-15-UFS-4]
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-fs (Nobody)
Depends on:
Reported: 2020-10-09 13:35 UTC by Ed Maste
Modified: 2020-10-15 18:45 UTC (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Ed Maste freebsd_committer 2020-10-09 13:35:57 UTC
Reported by: Christopher Krah of Fraunhofer FKIE
Reporter's ID: FS-15-UFS-4

*Description of the vulnerability*: Mounting a specially crafted UFS filesystem may lead to a kernel Denial of Service that was already anticipated in the code.
This is due to the following code in function ufs_dirbad in line 762 in /usr/src/sys/ufs/ufs/ufs_lookup.c:

struct mount *mp;

mp = ITOV(ip)->v_mount;
if ((mp->mnt_flag & MNT_RDONLY) == 0)
    panic("ufs_dirbad: %s: bad dir ino %ju at offset %ld: %s", mp->mnt_stat.f_mntonname, (uintmax_t)ip->i_number, (long)offset, how);
    (void)printf("%s: bad dir ino %ju at offset %ld: %s\n", mp->mnt_stat.f_mntonname, (uintmax_t)ip->i_number, (long)offset, how);

So far we were able to trigger this panic via 5 different system calls and hence different/multiple unique back traces as of time of writing this email:

* sys_mkdir
* sys_openat
* sys_fsstatat
* sys_access
* sys_mknodat

This shows that the UFS fs is especially vulnerable to this type of kernel DoS.
If additional different ways to trigger this behavior appear they will be added to the same shared folder referenced here at [1].

*Affected versions*: tested with FreeBSD 12.0-RELEASE AMD64. 

*Workaround*: None

FS image to be attached.