Ubuntu
linux package

Multiple Memory Corruption Issues in ntfs.ko (Linux 4.15.0-15.16)

Bug #1763403 reported by Sergej Schumilo on 2018-04-12

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Triaged	Undecided	Unassigned

Bug Description

Dear all,
The following memory corruption issues in ntfs.ko (such as use-after-frees, stack- and heap-out-of-bounds accesses and BUG_ON / BUG assertion fails) were found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL). I have attached the causing NTFS filesystem image, the dmesg reports, KASAN reports and the source code of a simple mounting tool to reproduce those issues (ntfs_inject.c).

A local users who have been granted the privileges necessary to mount filesystems (or a system components which auto mounts filesystems) could trigger a kernel oops, a kernel panic (depending on panic_on_oops) or exploit those bugs to raise privileges.

We can verify this issues for Linux 4.15.0-15.16 (Ubuntu 16.04.4 LTS / sources from "pull-lp-source linux").

Credits: Sergej Schumilo, Cornelius Aschermann (both of Ruhr-Universität Bochum)

Best regards,
Sergej Schumilo

CVE References

Revision history for this message

Sergej Schumilo (schumilo) wrote on 2018-04-12:

#1

linux ntfs.ko (4.15.0-15.16)_ubuntu.zip Edit (84.7 KiB, application/zip)

summary:

- Multiple Memory Corruption Issues in ntfs.ko
+ Multiple Memory Corruption Issues in ntfs.ko (Linux 4.15.0-15.16)

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2018-04-13:

#2

Thanks for taking the time to report this bug and helping to make Ubuntu better.

Please report this issue to the upstream kernel developers by contacting <email address hidden>

Once the Linux kernel security team has evaluated the issue, and a proper fix is available, we will release a security update for Ubuntu.

Changed in linux (Ubuntu):
status:	New → Triaged

Revision history for this message

Sergej Schumilo (schumilo) wrote on 2018-04-13:

#3

Reported to <email address hidden>.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2018-05-01:

#4

Hello Sergej, do you know if discussion of this issue has been made public?

Thanks

Revision history for this message

Sergej Schumilo (schumilo) wrote on 2018-05-01:

#5

Yes, the discussion can be found here: https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2018-05-01:

#6

Excellent, thanks Sergej.

information type:

Private Security → Public Security

Revision history for this message

Emily Ratliff (emilyr) wrote on 2018-06-29:

#7

These issues have received the following identifiers:
CVE-2018-12929 for the issue in ntfs_read_locked_inode
CVE-2018-12930 for the issue in ntfs_end_buffer_async_read
CVE-2018-12931 for the issue in ntfs_attr_find

gmx (elvisgmx) on 2018-06-30

information type:	Public Security → Public
information type:	Public → Public Security
information type:	Public Security → Public

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

linux ntfs.ko (4.15.0-15.16)_ubuntu.zip Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.