Bug 971170
| Summary: | Kernel: Infinite loop in the ext4 support could cause a denial of service. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jonathan Salwan <jonathan.salwan> | ||||
| Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 20 | CC: | gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-09-23 18:10:38 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Maintainer notified on linux-ext4 mailing list. Is now fixed and committed in the next-line. http://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/fs/ext4/resize.c?id=40c87e7a5404861cef33f6ced9809525a5ee2c50 This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle. Changing version to '20'. More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora20 This went into Linus' tree as commit b302ef2d3c73d8a07ed2f0679ce35f00b6dcacef and is included in 3.11-rc2. |
Created attachment 757373 [details] PoC In ./fs/ext4/balloc.c the "test_root" inline function is vulnerable to 'infinite' loop. static inline int test_root(ext4_group_t a, int b) { int num = b; while (a > num) num *= b; return num == a; } The 'a' argument is controlled from the userspace and its type is an 'unsigned int'. If 'a' value is 0xffffffff, we will seldom break the 'while' condition. With CAP_SYS_RESOURCE, an unprivileged user could use this flaw to cause a denial of service. We can trigger this 'infinite' loop with the attached PoC.