Null-Pointer Deference in hfs.ko (Linux 4.15.0-15.16)

Bug #1763384 reported by Sergej Schumilo
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)

Bug Description

Dear all,
The following null pointer dereference bug was found by a modified version of the kAFL fuzzer ( I have attached the causing hfs filesystem image, the dmesg report and the source code of a simple mounting tool to reproduce this issue.

A local users who have been granted the privileges necessary to mount filesystems (or a system components which auto mounts filesystems) could trigger a null pointer dereference or a kernel panic (depending on panic_on_oops).

We can verify this issues for Linux 4.15.0-15.16 (Ubuntu 16.04.4 LTS / sources from "pull-lp-source linux"). The desktop version of ubuntu auto-mounts this file system if provided via USB.

Credits: Sergej Schumilo, Cornelius Aschermann (both of Ruhr-Universität Bochum)

Best regards,
Sergej Schumilo

CVE References

Revision history for this message
Sergej Schumilo (schumilo) wrote :
summary: - Null-Pointer Deference in hfs.ko
+ Null-Pointer Deference in hfs.ko (Linux 4.15.0-15.16)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better.

Please report this issue to the upstream kernel developers by contacting <email address hidden>

Once the Linux kernel security team has evaluated the issue, and a proper fix is available, we will release a security update for Ubuntu.

Changed in linux (Ubuntu):
status: New → Triaged
Revision history for this message
Sergej Schumilo (schumilo) wrote :

Reported to <email address hidden>

Revision history for this message
Sergej Schumilo (schumilo) wrote :

According to Matthew Wilcox this is probably a won't fix bug with a recommendation to the Ubuntu developers to disable or remove support for this orphaned kernel module:

However, since this is still a vulnerability which can be exploited to trigger a local denial-of-service, could you please somehow fix this issue and assign a CVE?

Best regards,

information type: Private Security → Public Security
Revision history for this message
Emily Ratliff (emilyr) wrote :

This issue has received the following identifier: CVE-2018-12928

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.