Bug 250223 - FS-19-EXT3-4: Out of bounds read in mknodat-1 (fifo_close)
Summary: FS-19-EXT3-4: Out of bounds read in mknodat-1 (fifo_close)
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 12.1-STABLE
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-09 13:40 UTC by Ed Maste
Modified: 2020-10-10 00:03 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ed Maste freebsd_committer 2020-10-09 13:40:47 UTC
Reported by: Christopher Krah of Fraunhofer FKIE

*Description of the vulnerability*: Mounting a specially crafted ext3 (and potentially any ext fs) may lead to an out-of-bounds read. The file system of [1] yields a page fault (supervisor read data). 
This happens in line 276  in /usr/src/sys/fs/fifofs/fifo_vnops.c:

/*
* Device close routine
*/
/* ARGSUSED */
static int
fifo_close(ap)
struct vop_close_args /* {
struct vnode *a_vp;
int  a_fflag;
struct ucred *a_cred;
struct thread *a_td;
} */ *ap;
{
    struct vnode *vp;
    struct fifoinfo *fip;
    struct pipe *cpipe;
    vp = ap->a_vp;
    fip = vp->v_fifoinfo;    # crash occurs here
    [...]

In this snippet when setting the value of fip by accessing the v_fifoinfo field fip is set to zero.
(kgdb) p *vp
$1 = {[...], {v_mountedhere = 0x0, v_unpcb = 0x0, v_rdev = 0x0, v_fifoinfo = 0x0} [...] }

The corresponding assembly instruction is:

0xffffffff80a36b36 <fifo_close+22>:	mov    r14,QWORD PTR [r12]

And confirms the above. At the time of the crash r12 = 0x0 and hence accessing the value at memory address 0x0 is causing the kernel DoS.
That said, If an attacker would have access to r12 this may lead to an information leak.


*Affected versions*: tested with FreeBSD 12.0-RELEASE AMD64. 

*Workaround*: Do not load ext2fs 

---

fsu reports Cannot be reproduced on CURRENT r349333, reproduced on 12 at r341666
Comment 1 Ed Maste freebsd_committer 2020-10-10 00:03:52 UTC
Submitter's reproduction files, notes etc. are available at https://people.freebsd.org/~emaste/bugs/PR250223/