Ubuntu
linux package

xfs ioctl XFS_IOC_FSGEOMETRY_V1 clobbers kernel stack

Bug #788351 reported by Keegan McAllister
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
Kees Cook
Hardy
Won't Fix
Undecided
Paolo Pisati
Lucid
Fix Released
Undecided
Unassigned
Maverick
Fix Released
Undecided
Unassigned
Natty
Fix Released
Undecided
Unassigned
Oneiric
Fix Released
High
Kees Cook

Bug Description

Binary package hint: linux-image-2.6.24-29-server

The Hardy kernel Git range Ubuntu-2.6.24-29.88..Ubuntu-2.6.24-29.89 included this patch from upstream:

    3a3675b xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1

but failed to include the follow-up:

    af24ee9 xfs: zero proper structure size for geometry calls

with the consequence that unprivileged user programs can clobber at least 4 bytes of kernel stack memory. The solution is to apply this second patch.

I was unable to reproduce the kernel panic described in af24ee9's commit message. However, the corruption can be observed by first applying this kernel patch:

========begin patch========
diff --git a/fs/xfs/linux-2.6/xfs_ioctl.c b/fs/xfs/linux-2.6/xfs_ioctl.c
index 2f79328..8ba2888 100644
--- a/fs/xfs/linux-2.6/xfs_ioctl.c
+++ b/fs/xfs/linux-2.6/xfs_ioctl.c
@@ -1084,10 +1084,16 @@ xfs_ioc_fsgeometry_v1(
        xfs_fsop_geom_v1_t fsgeo;
        int error;

+ print_hex_dump_bytes("before xfs_fs_geometry: ", DUMP_PREFIX_OFFSET,
+ &fsgeo, sizeof(fsgeo)+4);
+
        error = xfs_fs_geometry(mp, (xfs_fsop_geom_t *)&fsgeo, 3);
        if (error)
                return -error;

+ print_hex_dump_bytes("after xfs_fs_geometry: ", DUMP_PREFIX_OFFSET,
+ &fsgeo, sizeof(fsgeo)+4);
+
        if (copy_to_user(arg, &fsgeo, sizeof(fsgeo)))
                return -XFS_ERROR(EFAULT);
        return 0;
========end patch========

and then executing the following script as root

========begin reproducer========
#!/bin/sh -e

cd /tmp
apt-get install xfsprogs
dd if=/dev/zero of=xfs.img bs=1M count=16
mkfs.xfs xfs.img
mkdir -p xfs.mnt
mount -o loop -t xfs xfs.img xfs.mnt

cat > xfs-geom-v1.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/ioctl.h>

typedef char fake_xfs_fsop_geom_v1_t[108];

#define XFS_IOC_FSGEOMETRY_V1 _IOR('X', 100, fake_xfs_fsop_geom_v1_t)

int main() {
    int fd, ret;
    fake_xfs_fsop_geom_v1_t geom;

    fd = open("/tmp/xfs.mnt", O_RDONLY);
    if (fd < 0) {
        perror("open");
        exit(1);
    }

    ret = ioctl(fd, XFS_IOC_FSGEOMETRY_V1, geom);
    if (ret) {
        perror("ioctl");
        exit(1);
    }

    return 0;
}
EOF
gcc -o xfs-geom-v1 xfs-geom-v1.c
sudo -u nobody ./xfs-geom-v1 ./xfs.mnt
dmesg | grep xfs_fs_geometry
========end reproducer========

The four bytes at the end of each hexdump lie outside the kernel's struct "fsgeo" but are zeroed by the call to xfs_fs_geometry().

Tags: hardy

CVE References

Revision history for this message
Kees Cook (kees) wrote :

Incomplete fix for CVE-2011-0711.

visibility: private → public
Jeremy Foshee (jeremyfoshee)
tags: added: hardy
Jamie Strandboge (jdstrand)
Changed in linux (Ubuntu):
assignee: nobody → Kees Cook (kees)
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in dianosing the problem. From a terminal window please run:

apport-collect 788351

and then change the status of the bug back to 'New'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Keegan McAllister (keegan-ksplice) wrote :

The bug report contains enough information to identify and fix the problem, including the Git commit identifier of the necessary patch from upstream.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Luke Faraone (lfaraone)
Changed in linux (Ubuntu):
importance: Undecided → High
status: Confirmed → Triaged
Revision history for this message
Tim Gardner (timg-tpi) wrote :

Ubuntu-2.6.32-32.62

Changed in linux (Ubuntu Natty):
status: New → Fix Released
Changed in linux (Ubuntu Oneiric):
status: Triaged → Fix Released
Changed in linux (Ubuntu Hardy):
assignee: nobody → Paolo Pisati (p-pisati)
status: New → Fix Committed
Changed in linux (Ubuntu Lucid):
status: New → Fix Released
Revision history for this message
Tim Gardner (timg-tpi) wrote :

Ubuntu-2.6.35-30.52

Changed in linux (Ubuntu Maverick):
status: New → Fix Released
Jamie Strandboge (jdstrand)
Changed in linux (Ubuntu Hardy):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.