Null-Pointer Deference in hfs.ko (Linux 4.15.0-15.16)

Bug #1763384 reported by Sergej Schumilo on 2018-04-12
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned

Bug Description

Dear all,
The following null pointer dereference bug was found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL). I have attached the causing hfs filesystem image, the dmesg report and the source code of a simple mounting tool to reproduce this issue.

A local users who have been granted the privileges necessary to mount filesystems (or a system components which auto mounts filesystems) could trigger a null pointer dereference or a kernel panic (depending on panic_on_oops).

We can verify this issues for Linux 4.15.0-15.16 (Ubuntu 16.04.4 LTS / sources from "pull-lp-source linux"). The desktop version of ubuntu auto-mounts this file system if provided via USB.

Credits: Sergej Schumilo, Cornelius Aschermann (both of Ruhr-Universität Bochum)

Best regards,
Sergej Schumilo

CVE References

Sergej Schumilo (schumilo) wrote :
summary: - Null-Pointer Deference in hfs.ko
+ Null-Pointer Deference in hfs.ko (Linux 4.15.0-15.16)
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better.

Please report this issue to the upstream kernel developers by contacting <email address hidden>

Once the Linux kernel security team has evaluated the issue, and a proper fix is available, we will release a security update for Ubuntu.

Changed in linux (Ubuntu):
status: New → Triaged
Sergej Schumilo (schumilo) wrote :

Reported to <email address hidden>

Sergej Schumilo (schumilo) wrote :

According to Matthew Wilcox this is probably a won't fix bug with a recommendation to the Ubuntu developers to disable or remove support for this orphaned kernel module:

https://marc.info/?l=linux-fsdevel&m=152407263325766&w=2

However, since this is still a vulnerability which can be exploited to trigger a local denial-of-service, could you please somehow fix this issue and assign a CVE?

Best regards,
Sergej

information type: Private Security → Public Security
Emily Ratliff (emilyr) wrote :

This issue has received the following identifier: CVE-2018-12928

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments