Null-Pointer Deference in hfs.ko (Linux 4.15.0-15.16)

Bug #1763384 reported by Sergej Schumilo
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)

Bug Description

Dear all,
The following null pointer dereference bug was found by a modified version of the kAFL fuzzer ( I have attached the causing hfs filesystem image, the dmesg report and the source code of a simple mounting tool to reproduce this issue.

A local users who have been granted the privileges necessary to mount filesystems (or a system components which auto mounts filesystems) could trigger a null pointer dereference or a kernel panic (depending on panic_on_oops).

We can verify this issues for Linux 4.15.0-15.16 (Ubuntu 16.04.4 LTS / sources from "pull-lp-source linux"). The desktop version of ubuntu auto-mounts this file system if provided via USB.

Credits: Sergej Schumilo, Cornelius Aschermann (both of Ruhr-Universität Bochum)

Best regards,
Sergej Schumilo

CVE References

Revision history for this message
Sergej Schumilo (schumilo) wrote :
summary: - Null-Pointer Deference in hfs.ko
+ Null-Pointer Deference in hfs.ko (Linux 4.15.0-15.16)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better.

Please report this issue to the upstream kernel developers by contacting <email address hidden>

Once the Linux kernel security team has evaluated the issue, and a proper fix is available, we will release a security update for Ubuntu.

Changed in linux (Ubuntu):
status: New → Triaged
Revision history for this message
Sergej Schumilo (schumilo) wrote :

Reported to <email address hidden>

Revision history for this message
Sergej Schumilo (schumilo) wrote :

According to Matthew Wilcox this is probably a won't fix bug with a recommendation to the Ubuntu developers to disable or remove support for this orphaned kernel module:

However, since this is still a vulnerability which can be exploited to trigger a local denial-of-service, could you please somehow fix this issue and assign a CVE?

Best regards,

information type: Private Security → Public Security
Revision history for this message
Emily Ratliff (emilyr) wrote :

This issue has received the following identifier: CVE-2018-12928

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Bug attachments