xfs ioctl XFS_IOC_FSGEOMETRY_V1 clobbers kernel stack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Kees Cook | ||
Hardy |
Won't Fix
|
Undecided
|
Paolo Pisati | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Maverick |
Fix Released
|
Undecided
|
Unassigned | ||
Natty |
Fix Released
|
Undecided
|
Unassigned | ||
Oneiric |
Fix Released
|
High
|
Kees Cook |
Bug Description
Binary package hint: linux-image-
The Hardy kernel Git range Ubuntu-
3a3675b xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
but failed to include the follow-up:
af24ee9 xfs: zero proper structure size for geometry calls
with the consequence that unprivileged user programs can clobber at least 4 bytes of kernel stack memory. The solution is to apply this second patch.
I was unable to reproduce the kernel panic described in af24ee9's commit message. However, the corruption can be observed by first applying this kernel patch:
========begin patch========
diff --git a/fs/xfs/
index 2f79328..8ba2888 100644
--- a/fs/xfs/
+++ b/fs/xfs/
@@ -1084,10 +1084,16 @@ xfs_ioc_
int error;
+ print_hex_
+ &fsgeo, sizeof(fsgeo)+4);
+
error = xfs_fs_geometry(mp, (xfs_fsop_geom_t *)&fsgeo, 3);
if (error)
+ print_hex_
+ &fsgeo, sizeof(fsgeo)+4);
+
if (copy_to_user(arg, &fsgeo, sizeof(fsgeo)))
return 0;
========end patch========
and then executing the following script as root
========begin reproducer========
#!/bin/sh -e
cd /tmp
apt-get install xfsprogs
dd if=/dev/zero of=xfs.img bs=1M count=16
mkfs.xfs xfs.img
mkdir -p xfs.mnt
mount -o loop -t xfs xfs.img xfs.mnt
cat > xfs-geom-v1.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/ioctl.h>
typedef char fake_xfs_
#define XFS_IOC_
int main() {
int fd, ret;
fake_
fd = open("/
if (fd < 0) {
exit(1);
}
ret = ioctl(fd, XFS_IOC_
if (ret) {
exit(1);
}
return 0;
}
EOF
gcc -o xfs-geom-v1 xfs-geom-v1.c
sudo -u nobody ./xfs-geom-v1 ./xfs.mnt
dmesg | grep xfs_fs_geometry
========end reproducer========
The four bytes at the end of each hexdump lie outside the kernel's struct "fsgeo" but are zeroed by the call to xfs_fs_geometry().
CVE References
tags: | added: hardy |
Changed in linux (Ubuntu): | |
assignee: | nobody → Kees Cook (kees) |
Changed in linux (Ubuntu): | |
importance: | Undecided → High |
status: | Confirmed → Triaged |
Changed in linux (Ubuntu Hardy): | |
status: | Fix Committed → Won't Fix |
Incomplete fix for CVE-2011-0711.