266562 – malicious Linux LVM label can cause crash during taste

Bug 266562 - malicious Linux LVM label can cause crash during taste

Summary: malicious Linux LVM label can cause crash during taste

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Zhenlei Huang

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-09-23 09:53 UTC by Robert Morris
Modified:	2023-09-06 05:02 UTC (History)
CC List:	4 users (show)

See Also:

Flags:	zlei: mfc-stable14+ zlei: mfc-stable13+ zlei: mfc-stable12+

Attachments
a disk image that causes a crash in llvm_label_decode() during tasting (4.00 KB, application/octet-stream) 2022-09-23 09:53 UTC, Robert Morris	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Morris 2022-09-23 09:53:37 UTC

Created attachment 236762 [details]
a disk image that causes a crash in llvm_label_decode() during tasting

In llvm_label_decode():
  
        ll->ll_offset = le32dec(data + 20);
        ...
        off = ll->ll_offset;
        ...
        bcopy(data + off, uuid, 6);

off is read from the disk and used without a sanity check, so a bad
value can cause a wild pointer reference.

I've attached a demo disk image.

# kldload geom_linux_lvm
# mdconfig -f taste25a.img
panic: Fatal page fault at 0xffffffc000270b32: 0xffffffd1019359ff
cpuid = 0
time = 1663881738
KDB: stack backtrace:
db_trace_self() at db_trace_self
db_trace_self_wrapper() at db_trace_self_wrapper+0x38
kdb_backtrace() at kdb_backtrace+0x2c
vpanic() at vpanic+0x170
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x76
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval = 0xffffffd1019359ff
llvm_label_decode() at llvm_label_decode+0xb4
g_llvm_read_label() at g_llvm_read_label+0xce
g_llvm_taste() at g_llvm_taste+0xba
g_new_provider_event() at g_new_provider_event+0xb8
one_event() at one_event+0x102
g_run_events() at g_run_events+0x8a
g_event_procbody() at g_event_procbody+0x56
fork_exit() at fork_exit+0x80
fork_trampoline() at fork_trampoline+0xa

FreeBSD  14.0-CURRENT FreeBSD 14.0-CURRENT #158 main-n250931-18f03443a230-dirty: Thu Sep 22 18:55:59 EDT 2022     rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv

Comment 1 Zhenlei Huang freebsd_committer

2022-09-28 14:37:51 UTC

WIP patch to solve this issue: https://reviews.freebsd.org/D36773

Comment 2 Robert Morris 2022-09-28 17:40:04 UTC

Also, in g_llvm_read_md(), the value of md_relsize needs to be checked
before

        buf[md->md_relsize] = '\0';

Comment 3 Zhenlei Huang freebsd_committer

2023-08-18 09:21:19 UTC

Hi @Robert,
May you please test the patch and verify it works?


(In reply to Robert Morris from comment #2)
This is an different issue and should be reported separately. Anyway I'll check that.

Comment 4 Robert Morris 2023-08-18 10:01:34 UTC

(In reply to Zhenlei Huang from comment #3)
Yes -- the patch fixes the problem for me.

Comment 5 Zhenlei Huang freebsd_committer

2023-08-18 10:14:43 UTC

(In reply to Robert Morris from comment #4)
Good! Thanks for testing it!

Comment 6 commit-hook freebsd_committer

2023-08-22 09:40:14 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=c941b82e1c31a67a025c43cc7bd31f269fa62588

commit c941b82e1c31a67a025c43cc7bd31f269fa62588
Author:     Zhenlei Huang <zlei@FreeBSD.org>
AuthorDate: 2023-08-22 09:20:10 +0000
Commit:     Zhenlei Huang <zlei@FreeBSD.org>
CommitDate: 2023-08-22 09:20:10 +0000

    geom_linux_lvm: Check the offset of physical volume header

    The LVM label is stored on any of the first four sectors, and the
    PV (physical volume) header is stored within the same sector following
    the LVM label. The current implementation does not fully check the
    offset of PV header, when attaching a bad formatted LVM PV the kernel
    may crash due to out-of-bounds memory read.

    PR:     266562
    Reviewed by:    jhb
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D36773

 sys/geom/linux_lvm/g_linux_lvm.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

Comment 7 commit-hook freebsd_committer

2023-09-06 04:20:13 UTC

A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=809450c4b53109b6ca8a87054452f2b3b8f711aa

commit 809450c4b53109b6ca8a87054452f2b3b8f711aa
Author:     Zhenlei Huang <zlei@FreeBSD.org>
AuthorDate: 2023-08-22 09:20:10 +0000
Commit:     Zhenlei Huang <zlei@FreeBSD.org>
CommitDate: 2023-09-06 04:17:49 +0000

    geom_linux_lvm: Check the offset of physical volume header

    The LVM label is stored on any of the first four sectors, and the
    PV (physical volume) header is stored within the same sector following
    the LVM label. The current implementation does not fully check the
    offset of PV header, when attaching a bad formatted LVM PV the kernel
    may crash due to out-of-bounds memory read.

    PR:             266562
    Reviewed by:    jhb
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D36773

    (cherry picked from commit c941b82e1c31a67a025c43cc7bd31f269fa62588)

 sys/geom/linux_lvm/g_linux_lvm.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

Comment 8 commit-hook freebsd_committer

2023-09-06 04:53:26 UTC

A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=70e32e5b52d9b34bdc205f04a616998effc493b0

commit 70e32e5b52d9b34bdc205f04a616998effc493b0
Author:     Zhenlei Huang <zlei@FreeBSD.org>
AuthorDate: 2023-08-22 09:20:10 +0000
Commit:     Zhenlei Huang <zlei@FreeBSD.org>
CommitDate: 2023-09-06 04:32:56 +0000

    geom_linux_lvm: Check the offset of physical volume header

    The LVM label is stored on any of the first four sectors, and the
    PV (physical volume) header is stored within the same sector following
    the LVM label. The current implementation does not fully check the
    offset of PV header, when attaching a bad formatted LVM PV the kernel
    may crash due to out-of-bounds memory read.

    PR:             266562
    Reviewed by:    jhb
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D36773

    (cherry picked from commit c941b82e1c31a67a025c43cc7bd31f269fa62588)
    (cherry picked from commit 809450c4b53109b6ca8a87054452f2b3b8f711aa)

 sys/geom/linux_lvm/g_linux_lvm.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

Comment 9 Zhenlei Huang freebsd_committer

2023-09-06 05:02:14 UTC

Fixed.
Thanks @Robert for the report!