Bug 7738

Summary: gfs2 init_journal denial of service (CVE-2006-6057)
Product: File System Reporter: Daniel Drake (dsd)
Component: OtherAssignee: Ingo Molnar (mingo)
Status: CLOSED CODE_FIX    
Severity: normal CC: diegocg
Priority: P2    
Hardware: i386   
OS: Linux   
Kernel Version: 2.6.19 Subsystem:
Regression: --- Bisected commit-id:

Description Daniel Drake 2006-12-23 08:46:46 UTC 
I can't seem to find a patch to fix this security vuln. Apologies if I missed
something.

http://projects.info-pull.com/mokb/MOKB-15-11-2006.html

Linux 2.6.x gfs2 filesystem code fails to properly handle corrupted data
structures, leading to an exploitable denial of service issue when a crafted
stream is being mounted. This particular vulnerability is caused by a NULL
pointer dereference in the init_journal function.

See the above URL for a fs image which can be used to reproduce this.

[root@fedoravm ~]# uname -a
Linux fedoravm 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16 14:37:32 EDT 2006 i686 i686
i386 GNU/Linux

GFS2 (built Oct 16 2006 14:39:08) installed
BUG: unable to handle kernel NULL pointer dereference at virtual address 000002a c
 printing eip:
d0be45a9
*pde = 00000000
Oops: 0000 [#1]
SMP
last sysfs file: /block/loop3/range
Modules linked in: lock_nolock gfs2 hfs loop ipv6 sunrpc ip_conntrack_netbios_ns
 ipt_REJECT
xt_state ip_conntrack nfnetlink xt_tcpudp iptable_filter ip_tables x _tables
video sbs i2c_ec button battery asus_acpi ac parport_pc lp parport snd_ens1371 g
ameport snd_rawmidi
snd_ac97_codec snd_ac97_bus snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq
sg snd_seq_device
snd_pcm_oss snd_mixer_oss snd_pcm v mxnet(U) snd_timer floppy i2c_piix4 snd
pcnet32 i2c_core ide_cd cdrom
soundcore mii serio_raw snd_page_alloc pcspkr dm_snapshot dm_zero dm_mirror
dm_mod ext3 jbd mp tspi
scsi_transport_spi mptscsih sd_mod scsi_mod mptbase
CPU:    0
EIP:    0060:[]    Tainted: P      VLI
EFLAGS: 00010207   (2.6.18-1.2798.fc6 #1)
EIP is at init_journal+0x57/0x3f5 [gfs2]
eax: 00000000   ebx: 00000000   ecx: 00000001   edx: 00000000
esi: ca9f3000   edi: ca82b028   ebp: ca9f3000   esp: ca87bc94
ds: 007b   es: 007b   ss: 0068
Process mount.gfs2 (pid: 1929, ti=ca87b000 task=cfe232c0 task.ti=ca87b000)
Stack: ca9f3000 d0bef9c0 cfe232c0 ca82b2d8 caae352c caae352c d0bd9ae2 caae352c
       00000000 0000004d ca9f3000 00000000 00000003 ca82b1b4 00000003 ca82b028
       d0bdba52 ca82b2d8 00000001 ca87bce4 caae352c 00000000 ca9f3000 ca82b028
Call Trace:
 [] init_inodes+0x54/0x1da [gfs2]
 [] fill_super+0x50e/0x632 [gfs2]
 [] get_sb_bdev+0xce/0x11c
 [] gfs2_get_sb+0x21/0x3e [gfs2]
 [] vfs_kern_mount+0x83/0xf6
 [] do_kern_mount+0x2d/0x3e
 [] do_mount+0x5fa/0x66d
 [] sys_mount+0x77/0xae
 [] syscall_call+0x7/0xb
DWARF2 unwinder stuck at syscall_call+0x7/0xb
Leftover inexact backtrace:
 =======================
Code: 76 29 8d 85 9c 08 00 00 c7 44 24 08 00 00 00 00 89 44 24 04 c7 04 24 2a 21
 bf d0 e8 f0 11 84 ef 8b
bd 20 04 00 00 e9 94 03 00 00 <8b> 80 ac 02 00 00 90 0f  ba 68 08
02 8d 54 24 14 89 e8 e8 92 89
EIP: [] init_journal+0x57/0x3f5 [gfs2] SS:ESP 0068:ca87bc94
Comment 1 Diego Calleja 2006-12-23 16:16:16 UTC 
Please next time contact security@kernel.org first
Comment 2 Ingo Molnar 2007-11-21 03:34:23 UTC 
this bug has been fixed in upstream GFS2. (long time ago) Closing the bug.