From: Theodore Ts'o <tytso@mit.edu>
To: Andreas Dilger <adilger@dilger.ca>
Cc: Greg KH <greg@kroah.com>,
Jonathan Salwan <jonathan.salwan@gmail.com>,
"adilger.kernel@dilger.ca" <adilger.kernel@dilger.ca>,
"security@kernel.org" <security@kernel.org>,
linux-ext4@vger.kernel.org
Subject: Re: CVE request : Infinite loop in the ext4 support could cause a denial of service.
Date: Thu, 6 Jun 2013 10:43:21 -0400 [thread overview]
Message-ID: <20130606144321.GB5382@thunk.org> (raw)
In-Reply-To: <7056E878-6406-4BC1-BF78-0F6DD4DBBE11@dilger.ca>
On Wed, Jun 05, 2013 at 09:02:11PM -0600, Andreas Dilger wrote:
>
> I think with CAP_SYS_RESOURCE there are are quite a number of
> DOS attacks possible (e.g. fork bomb).
Ah, sorry for my earlier e-mail. I didn't see the PoC code that was
quoted at the end of Greg's reply.
But I agree, that given that there are plenty of Denial of Service
attacks with CAP_SYS_RESOURCE, I don't believe a fix requires any
secrecy, so I'll run the patches through the normal ext4 process and
the ext4 mailing list.
If you want a CVE number for bragging points and/or for your
performance metrics (and/or to help Microsoft's propaganda machine),
feel free, but I don't consider this as a serious issue, so I don't
plan to tag the commit with a CVE number, nor to especially encourage
distro's to take this patch, unless someone sees more serious attack
vector.
> test_root() is called with "a" as the group number (any unsigned
> 32-bit number may be valid, depending on filesystem size), and "b"
> is 3, 5, and 7 in turn. With b=3, this only takes only 21 loops (i.e. 3^21) for num to exceed 2^32.
>
> Ah, num is a signed int, and if "a" is 0xffffffff there is no chance
> that (a > num) is ever true due to overflow. It would be enough to
> make "num" a u64 so that it cannot overflow before it exceeds "a".
That's a reasonable fix, but then I'd suggest caching the result of
ext4_sparse_group in ext4_group_info --- which would also imply that
we would be putting in an sanity check of the group number in
ext4_bg_has_super(), or better yet in ext4_get_group_info().
We should also fix this problem another way in verify_group_input() in
fs/ext4/resize.c by sanity checking the group number in the
ext4_new_group_data structures *before* calling ext4_bg_has_super() or
ext4_group_overhead_blocks().
- Ted
parent reply other threads:[~2013-06-06 14:43 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <7056E878-6406-4BC1-BF78-0F6DD4DBBE11@dilger.ca>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130606144321.GB5382@thunk.org \
--to=tytso@mit.edu \
--cc=adilger.kernel@dilger.ca \
--cc=adilger@dilger.ca \
--cc=greg@kroah.com \
--cc=jonathan.salwan@gmail.com \
--cc=linux-ext4@vger.kernel.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).