Red Hat Bugzilla – Bug 971170
Kernel: Infinite loop in the ext4 support could cause a denial of service.
Last modified: 2013-09-23 14:10:38 EDT
Created attachment 757373 [details]
In ./fs/ext4/balloc.c the "test_root" inline function is vulnerable to
static inline int test_root(ext4_group_t a, int b)
int num = b;
while (a > num)
num *= b;
return num == a;
The 'a' argument is controlled from the userspace and its type is an
'unsigned int'. If 'a' value is 0xffffffff, we will seldom break the
'while' condition. With CAP_SYS_RESOURCE, an unprivileged user could
use this flaw to cause a denial of service.
We can trigger this 'infinite' loop with the attached PoC.
Maintainer notified on linux-ext4 mailing list.
Is now fixed and committed in the next-line.
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle.
Changing version to '20'.
More information and reason for this action is here:
This went into Linus' tree as commit b302ef2d3c73d8a07ed2f0679ce35f00b6dcacef and is included in 3.11-rc2.