971170 – Kernel: Infinite loop in the ext4 support could cause a denial of service.

Bug 971170 - Kernel: Infinite loop in the ext4 support could cause a denial of service.

Summary: Kernel: Infinite loop in the ext4 support could cause a denial of service.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-06-05 21:24 UTC by Jonathan Salwan
Modified:	2013-09-23 18:10 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-09-23 18:10:38 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
PoC (1.04 KB, text/x-csrc) 2013-06-05 21:24 UTC, Jonathan Salwan	no flags	Details
View All

Description Jonathan Salwan 2013-06-05 21:24:23 UTC

Created attachment 757373 [details]
PoC

In ./fs/ext4/balloc.c the "test_root" inline function is vulnerable to
'infinite' loop.

static inline int test_root(ext4_group_t a, int b)
{
    int num = b;

    while (a > num)
        num *= b;
    return num == a;
}

The 'a' argument is controlled from the userspace and its type is an
'unsigned int'. If 'a' value is 0xffffffff, we will seldom break the
'while' condition. With CAP_SYS_RESOURCE, an unprivileged user could 
use this flaw to cause a denial of service.

We can trigger this 'infinite' loop with the attached PoC.

Comment 1 Jonathan Salwan 2013-06-12 15:02:16 UTC

Maintainer notified on linux-ext4 mailing list.

Comment 2 Jonathan Salwan 2013-06-17 20:02:34 UTC

Is now fixed and committed in the next-line.

http://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/fs/ext4/resize.c?id=40c87e7a5404861cef33f6ced9809525a5ee2c50

Comment 3 Fedora End Of Life 2013-09-16 14:06:20 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle.
Changing version to '20'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora20

Comment 4 Josh Boyer 2013-09-23 18:10:38 UTC

This went into Linus' tree as commit b302ef2d3c73d8a07ed2f0679ce35f00b6dcacef and is included in 3.11-rc2.

Note You need to log in before you can comment on or make changes to this bug.