[Bug 266562] malicious Linux LVM label can cause crash during taste

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266562] malicious Linux LVM label can cause crash during taste"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266562] malicious Linux LVM label can cause crash during taste"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266562] malicious Linux LVM label can cause crash during taste"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266562] malicious Linux LVM label can cause crash during taste"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266562] malicious Linux LVM label can cause crash during taste"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266562] malicious Linux LVM label can cause crash during taste"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266562] malicious Linux LVM label can cause crash during taste"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266562] malicious Linux LVM label can cause crash during taste"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266562] malicious Linux LVM label can cause crash during taste"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266562] malicious Linux LVM label can cause crash during taste"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266562] malicious Linux LVM label can cause crash during taste"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 23 Sep 2022 09:53:37 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266562

            Bug ID: 266562
           Summary: malicious Linux LVM label can cause crash during taste
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 236762
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=236762&action=edit
a disk image that causes a crash in llvm_label_decode() during tasting

In llvm_label_decode():

        ll->ll_offset = le32dec(data + 20);
        ...
        off = ll->ll_offset;
        ...
        bcopy(data + off, uuid, 6);

off is read from the disk and used without a sanity check, so a bad
value can cause a wild pointer reference.

I've attached a demo disk image.

# kldload geom_linux_lvm
# mdconfig -f taste25a.img
panic: Fatal page fault at 0xffffffc000270b32: 0xffffffd1019359ff
cpuid = 0
time = 1663881738
KDB: stack backtrace:
db_trace_self() at db_trace_self
db_trace_self_wrapper() at db_trace_self_wrapper+0x38
kdb_backtrace() at kdb_backtrace+0x2c
vpanic() at vpanic+0x170
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x76
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval = 0xffffffd1019359ff
llvm_label_decode() at llvm_label_decode+0xb4
g_llvm_read_label() at g_llvm_read_label+0xce
g_llvm_taste() at g_llvm_taste+0xba
g_new_provider_event() at g_new_provider_event+0xb8
one_event() at one_event+0x102
g_run_events() at g_run_events+0x8a
g_event_procbody() at g_event_procbody+0x56
fork_exit() at fork_exit+0x80
fork_trampoline() at fork_trampoline+0xa

FreeBSD  14.0-CURRENT FreeBSD 14.0-CURRENT #158
main-n250931-18f03443a230-dirty: Thu Sep 22 18:55:59 EDT 2022    
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv

-- 
You are receiving this mail because:
You are the assignee for the bug.