Bug 971170 - Kernel: Infinite loop in the ext4 support could cause a denial of service.
Kernel: Infinite loop in the ext4 support could cause a denial of service.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
20
Unspecified Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-05 17:24 EDT by Jonathan Salwan
Modified: 2013-09-23 14:10 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-23 14:10:38 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
PoC (1.04 KB, text/x-csrc)
2013-06-05 17:24 EDT, Jonathan Salwan
no flags Details

  None (edit)
Description Jonathan Salwan 2013-06-05 17:24:23 EDT
Created attachment 757373 [details]
PoC

In ./fs/ext4/balloc.c the "test_root" inline function is vulnerable to
'infinite' loop.

static inline int test_root(ext4_group_t a, int b)
{
    int num = b;

    while (a > num)
        num *= b;
    return num == a;
}

The 'a' argument is controlled from the userspace and its type is an
'unsigned int'. If 'a' value is 0xffffffff, we will seldom break the
'while' condition. With CAP_SYS_RESOURCE, an unprivileged user could 
use this flaw to cause a denial of service.

We can trigger this 'infinite' loop with the attached PoC.
Comment 1 Jonathan Salwan 2013-06-12 11:02:16 EDT
Maintainer notified on linux-ext4 mailing list.
Comment 3 Fedora End Of Life 2013-09-16 10:06:20 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle.
Changing version to '20'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora20
Comment 4 Josh Boyer 2013-09-23 14:10:38 EDT
This went into Linus' tree as commit b302ef2d3c73d8a07ed2f0679ce35f00b6dcacef and is included in 3.11-rc2.

Note You need to log in before you can comment on or make changes to this bug.