Bug 1597775 (CVE-2018-13095) - CVE-2018-13095 kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c
Summary: CVE-2018-13095 kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-13095
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20180603,reported=2...
Depends On: 1602039 1597777 1597780 1602037 1602038 1602040
Blocks: 1597779
TreeView+ depends on / blocked
 
Reported: 2018-07-03 15:19 UTC by Laura Pardo
Modified: 2019-08-06 12:06 UTC (History)
44 users (show)

Fixed In Version: kernel 4.18-rc3
Doc Type: If docs needed, set a value
Doc Text:
An issue was discovered in the XFS filesystem in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel. A denial of service due to the NULL pointer dereference can occur for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:31:38 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1350 None None None 2019-06-04 16:28:55 UTC
Red Hat Product Errata RHSA-2019:2029 None None None 2019-08-06 12:04:12 UTC
Red Hat Product Errata RHSA-2019:2043 None None None 2019-08-06 12:06:36 UTC

Description Laura Pardo 2018-07-03 15:19:10 UTC
An issue was discovered in the XFS filesystem in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel. A denial of service due to the NULL pointer dereference can occur for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork.

References:

https://bugzilla.kernel.org/show_bug.cgi?id=199915 	

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=23fcb3340d033d9f081e21e6c12c2db7eaa541d3

Comment 1 Laura Pardo 2018-07-03 15:20:47 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1597777]

Comment 6 Vladis Dronov 2018-07-17 16:31:25 UTC
Notes:

While the flaw reproducer works when run as a privileged user (the "root"), this requires a mount of a certain filesystem image. An unprivileged attacker cannot do this even from a user+mount namespace:

$ unshare -U -r -m
# mount -t xfs fs.img mnt/
mount: mnt/: mount failed: Operation not permitted.

The article https://lwn.net/Articles/652468/ discusses unprivileged user mounts and hostile filesystem images:
 
> ... for the most part, the mount() system call is denied to processes running
> within user namespaces, even if they are privileged in their namespaces.

It also states that unprivileged filesystem mounts are not allowed as of now in the Linux kernel and probably won't be allowed in a future. Until that such flaws are considered as not exploitable:

> There were no proposals for solutions to the hostile-filesystem problem.
> But, in the absence of some sort of assurance that they can be made safe,
> unprivileged filesystem mounts are unlikely to gain acceptance; even if the
> feature gets into the kernel, distributions would be likely to disable it.

On the other hand, there is a potential possibility that still an attacker can trick a regular user to mount a malicious filesystem image, like trick him to insert an usb-flash-drive with a forged filesystem to a desktop system which will auto-mount it. In case this results only in a system crash (a DoS due to, for example, a NULL pointer dereference) the flaw impact is low but it still exists. In case of a flaw which results in a privilege escalation the flaw's impact is higher.

So the Red Hat would still consider bugs which require mounting a filesystem image to exploit as security flaws, though with Low severity.

Comment 9 errata-xmlrpc 2019-06-04 16:28:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1350 https://access.redhat.com/errata/RHSA-2019:1350

Comment 10 errata-xmlrpc 2019-08-06 12:04:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029

Comment 11 errata-xmlrpc 2019-08-06 12:06:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043


Note You need to log in before you can comment on or make changes to this bug.