Bug 7738 - gfs2 init_journal denial of service (CVE-2006-6057)
Summary: gfs2 init_journal denial of service (CVE-2006-6057)
Status: CLOSED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: Other (show other bugs)
Hardware: i386 Linux
: P2 normal
Assignee: Ingo Molnar
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-12-23 08:46 UTC by Daniel Drake
Modified: 2007-11-21 03:34 UTC (History)
1 user (show)

See Also:
Kernel Version: 2.6.19
Subsystem:
Regression: ---
Bisected commit-id:


Attachments

Description Daniel Drake 2006-12-23 08:46:46 UTC
I can't seem to find a patch to fix this security vuln. Apologies if I missed
something.

http://projects.info-pull.com/mokb/MOKB-15-11-2006.html

Linux 2.6.x gfs2 filesystem code fails to properly handle corrupted data
structures, leading to an exploitable denial of service issue when a crafted
stream is being mounted. This particular vulnerability is caused by a NULL
pointer dereference in the init_journal function.

See the above URL for a fs image which can be used to reproduce this.

[root@fedoravm ~]# uname -a
Linux fedoravm 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16 14:37:32 EDT 2006 i686 i686
i386 GNU/Linux

GFS2 (built Oct 16 2006 14:39:08) installed
BUG: unable to handle kernel NULL pointer dereference at virtual address 000002a c
 printing eip:
d0be45a9
*pde = 00000000
Oops: 0000 [#1]
SMP
last sysfs file: /block/loop3/range
Modules linked in: lock_nolock gfs2 hfs loop ipv6 sunrpc ip_conntrack_netbios_ns
 ipt_REJECT
xt_state ip_conntrack nfnetlink xt_tcpudp iptable_filter ip_tables x _tables
video sbs i2c_ec button battery asus_acpi ac parport_pc lp parport snd_ens1371 g
ameport snd_rawmidi
snd_ac97_codec snd_ac97_bus snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq
sg snd_seq_device
snd_pcm_oss snd_mixer_oss snd_pcm v mxnet(U) snd_timer floppy i2c_piix4 snd
pcnet32 i2c_core ide_cd cdrom
soundcore mii serio_raw snd_page_alloc pcspkr dm_snapshot dm_zero dm_mirror
dm_mod ext3 jbd mp tspi
scsi_transport_spi mptscsih sd_mod scsi_mod mptbase
CPU:    0
EIP:    0060:[]    Tainted: P      VLI
EFLAGS: 00010207   (2.6.18-1.2798.fc6 #1)
EIP is at init_journal+0x57/0x3f5 [gfs2]
eax: 00000000   ebx: 00000000   ecx: 00000001   edx: 00000000
esi: ca9f3000   edi: ca82b028   ebp: ca9f3000   esp: ca87bc94
ds: 007b   es: 007b   ss: 0068
Process mount.gfs2 (pid: 1929, ti=ca87b000 task=cfe232c0 task.ti=ca87b000)
Stack: ca9f3000 d0bef9c0 cfe232c0 ca82b2d8 caae352c caae352c d0bd9ae2 caae352c
       00000000 0000004d ca9f3000 00000000 00000003 ca82b1b4 00000003 ca82b028
       d0bdba52 ca82b2d8 00000001 ca87bce4 caae352c 00000000 ca9f3000 ca82b028
Call Trace:
 [] init_inodes+0x54/0x1da [gfs2]
 [] fill_super+0x50e/0x632 [gfs2]
 [] get_sb_bdev+0xce/0x11c
 [] gfs2_get_sb+0x21/0x3e [gfs2]
 [] vfs_kern_mount+0x83/0xf6
 [] do_kern_mount+0x2d/0x3e
 [] do_mount+0x5fa/0x66d
 [] sys_mount+0x77/0xae
 [] syscall_call+0x7/0xb
DWARF2 unwinder stuck at syscall_call+0x7/0xb
Leftover inexact backtrace:
 =======================
Code: 76 29 8d 85 9c 08 00 00 c7 44 24 08 00 00 00 00 89 44 24 04 c7 04 24 2a 21
 bf d0 e8 f0 11 84 ef 8b
bd 20 04 00 00 e9 94 03 00 00 <8b> 80 ac 02 00 00 90 0f  ba 68 08
02 8d 54 24 14 89 e8 e8 92 89
EIP: [] init_journal+0x57/0x3f5 [gfs2] SS:ESP 0068:ca87bc94
Comment 1 Diego Calleja 2006-12-23 16:16:16 UTC
Please next time contact security@kernel.org first
Comment 2 Ingo Molnar 2007-11-21 03:34:23 UTC
this bug has been fixed in upstream GFS2. (long time ago) Closing the bug.

Note You need to log in before you can comment on or make changes to this bug.