Ubuntu
linux package

crafted reiserfs filesystem image local DoS (reboot)

Bug #276350 reported by David Maciejak
6
Affects Status Importance Assigned to Milestone
Linux
Confirmed
High
linux (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

Binary package hint: linux-image-2.6.24-19-generic

lsb_release -rd
Description: Ubuntu 8.04.1
Release: 8.04

uname -a
Linux desktop 2.6.24-19-generic #1 SMP Wed Aug 20 22:56:21 UTC 2008 i686 GNU/Linux

Hi,

I am playing around with some filesystems, got some weird results I would like to share with you.
Just uncompress the reiserfs_local_dos.img.gz file enclosed and mount it with
"mount reiserfs_local_dos.img /media/here -o loop" and the linux box reboot.

Regards,

David Maciejak
Fortinet's FortiGuard Global Security Research Team

Revision history for this message
David Maciejak (dmaciejak) wrote :
Revision history for this message
David Maciejak (dmaciejak) wrote :

Another point, kern.log seems ok:

Sep 30 16:22:37 koma-desktop kernel: [ 95.120581] loop: module loaded
Sep 30 16:22:38 koma-desktop kernel: [ 95.775658] ReiserFS: loop0: found reiserfs format "3.6" with standard journal
Sep 30 16:22:38 koma-desktop kernel: [ 95.775665] ReiserFS: loop0: using ordered data mode
Sep 30 16:22:38 koma-desktop kernel: [ 95.817492] ReiserFS: loop0: journal params: device loop0, size 8125, journal first block 66, max trans len 256, max batch 225, max commit age 30, max trans age 30
Sep 30 16:22:38 koma-desktop kernel: [ 95.817898] ReiserFS: loop0: checking transaction log (loop0)
Sep 30 16:22:41 koma-desktop kernel: [ 97.088523] ReiserFS: loop0: Using r5 hash to sort names

Revision history for this message
David Maciejak (dmaciejak) wrote :

Also checked with 2.6.27-4-generic

Revision history for this message
David Maciejak (dmaciejak) wrote :

is there really someone reading this ?

Revision history for this message
Kees Cook (kees) wrote :

Thanks for the report! Have you reported this to the upstream linux kernel yet?

Changed in linux:
status: New → Confirmed
Revision history for this message
David Maciejak (dmaciejak) wrote :

yes, as nobody answered I check with 2.6.28, same problem occurs so I report it at
http://bugzilla.kernel.org/show_bug.cgi?id=12335

Bug Watch Updater (bug-watch-updater)
Changed in linux:
status: Unknown → Confirmed
Kees Cook (kees)
Changed in linux (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Andy Whitcroft (apw) wrote :

Testing this on a real machine you cannot even use sysrq-b to reboot the machine, nor do you get any sort of panic. Ouch.

Bug Watch Updater (bug-watch-updater)
Changed in linux:
importance: Unknown → High
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Unmarking as security. This requires root privileges to cause the DoS (mount).

security vulnerability: yes → no
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.