crafted reiserfs filesystem image local DoS (reboot)

Bug #276350 reported by David Maciejak on 2008-09-30
6
Affects Status Importance Assigned to Milestone
Linux
Confirmed
High
linux (Ubuntu)
Wishlist
Unassigned

Bug Description

Binary package hint: linux-image-2.6.24-19-generic

lsb_release -rd
Description: Ubuntu 8.04.1
Release: 8.04

uname -a
Linux desktop 2.6.24-19-generic #1 SMP Wed Aug 20 22:56:21 UTC 2008 i686 GNU/Linux

Hi,

I am playing around with some filesystems, got some weird results I would like to share with you.
Just uncompress the reiserfs_local_dos.img.gz file enclosed and mount it with
"mount reiserfs_local_dos.img /media/here -o loop" and the linux box reboot.

Regards,

David Maciejak
Fortinet's FortiGuard Global Security Research Team

David Maciejak (dmaciejak) wrote :
David Maciejak (dmaciejak) wrote :

Another point, kern.log seems ok:

Sep 30 16:22:37 koma-desktop kernel: [ 95.120581] loop: module loaded
Sep 30 16:22:38 koma-desktop kernel: [ 95.775658] ReiserFS: loop0: found reiserfs format "3.6" with standard journal
Sep 30 16:22:38 koma-desktop kernel: [ 95.775665] ReiserFS: loop0: using ordered data mode
Sep 30 16:22:38 koma-desktop kernel: [ 95.817492] ReiserFS: loop0: journal params: device loop0, size 8125, journal first block 66, max trans len 256, max batch 225, max commit age 30, max trans age 30
Sep 30 16:22:38 koma-desktop kernel: [ 95.817898] ReiserFS: loop0: checking transaction log (loop0)
Sep 30 16:22:41 koma-desktop kernel: [ 97.088523] ReiserFS: loop0: Using r5 hash to sort names

David Maciejak (dmaciejak) wrote :

Also checked with 2.6.27-4-generic

David Maciejak (dmaciejak) wrote :

is there really someone reading this ?

Kees Cook (kees) wrote :

Thanks for the report! Have you reported this to the upstream linux kernel yet?

Changed in linux:
status: New → Confirmed
David Maciejak (dmaciejak) wrote :

yes, as nobody answered I check with 2.6.28, same problem occurs so I report it at
http://bugzilla.kernel.org/show_bug.cgi?id=12335

Changed in linux:
status: Unknown → Confirmed
Kees Cook (kees) on 2009-04-16
Changed in linux (Ubuntu):
importance: Undecided → Wishlist
Andy Whitcroft (apw) wrote :

Testing this on a real machine you cannot even use sysrq-b to reboot the machine, nor do you get any sort of panic. Ouch.

Changed in linux:
importance: Unknown → High
Jamie Strandboge (jdstrand) wrote :

Unmarking as security. This requires root privileges to cause the DoS (mount).

security vulnerability: yes → no
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.