Multiple Memory Corruption Issues in ntfs.ko (Linux 4.15.0-15.16)

Bug #1763403 reported by Sergej Schumilo on 2018-04-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned

Bug Description

Dear all,
The following memory corruption issues in ntfs.ko (such as use-after-frees, stack- and heap-out-of-bounds accesses and BUG_ON / BUG assertion fails) were found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL). I have attached the causing NTFS filesystem image, the dmesg reports, KASAN reports and the source code of a simple mounting tool to reproduce those issues (ntfs_inject.c).

A local users who have been granted the privileges necessary to mount filesystems (or a system components which auto mounts filesystems) could trigger a kernel oops, a kernel panic (depending on panic_on_oops) or exploit those bugs to raise privileges.

We can verify this issues for Linux 4.15.0-15.16 (Ubuntu 16.04.4 LTS / sources from "pull-lp-source linux").

Credits: Sergej Schumilo, Cornelius Aschermann (both of Ruhr-Universität Bochum)

Best regards,
Sergej Schumilo

Sergej Schumilo (schumilo) wrote :
summary: - Multiple Memory Corruption Issues in ntfs.ko
+ Multiple Memory Corruption Issues in ntfs.ko (Linux 4.15.0-15.16)
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better.

Please report this issue to the upstream kernel developers by contacting <email address hidden>

Once the Linux kernel security team has evaluated the issue, and a proper fix is available, we will release a security update for Ubuntu.

Changed in linux (Ubuntu):
status: New → Triaged
Sergej Schumilo (schumilo) wrote :

Reported to <email address hidden>.

Seth Arnold (seth-arnold) wrote :

Hello Sergej, do you know if discussion of this issue has been made public?

Thanks

Sergej Schumilo (schumilo) wrote :

Yes, the discussion can be found here: https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2

Seth Arnold (seth-arnold) wrote :

Excellent, thanks Sergej.

information type: Private Security → Public Security
Emily Ratliff (emilyr) wrote :

These issues have received the following identifiers:
CVE-2018-12929 for the issue in ntfs_read_locked_inode
CVE-2018-12930 for the issue in ntfs_end_buffer_async_read
CVE-2018-12931 for the issue in ntfs_attr_find

gmx (elvisgmx) on 2018-06-30
information type: Public Security → Public
information type: Public → Public Security
information type: Public Security → Public
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers