Re: Null-Pointer Deference in hfs.ko (Linux 4.15.0-15.16 Ubuntu)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Apr 18, 2018 at 10:30:28AM -0700, Matthew Wilcox wrote:
> On Wed, Apr 18, 2018 at 06:26:41PM +0200, Sergej Schumilo wrote:
> > Dear all,
> > The following null pointer dereference bug was found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL). I have attached the causing hfs filesystem image, the dmesg report and the source code of a simple mounting tool to reproduce this issue.
> > 
> > A local users who have been granted the privileges necessary to mount filesystems (or a system components which auto mounts filesystems) could trigger a null pointer dereference or a kernel panic (depending on panic_on_oops).
> 
> I have to say this isn't going to rank very highly in terms of bugs we're
> likely to spend a lot of time on.  Almost nobody uses HFS on Linux,
> and it has no maintainer.  I'd suggest that Ubuntu disables it from
> their configuration, or if it's important to them, that they contribute
> somebody's time to working on it.
> 
> You'd probably get a more interesting response if you fuzzed ext4, btrfs
> or XFS.  Or FAT or iso9660; things people are likely to have an USB keys.
> There may be a tooling problem here where some filesystems should be
> whitelisted for automounting.  I just don't think you're going to find
> anyone interested in fixing this.

Also this looks the same as this bug that was already reported by syzbot, with a
C reproducer:

    Thread: https://groups.google.com/forum/#!msg/syzkaller-bugs/9SgQk_6tSZ4/zLhTm4r1AwAJ
    Dashboard link: https://syzkaller.appspot.com/bug?id=c2fd07ae5213991a1b95eadee9205b41ac1aa6e2

In fact there are already 4 open HFS bugs on the syzbot dashboard at
https://syzkaller.appspot.com/.  IMO, time would be much better spent actually
fixing the bugs, rather than redundantly finding them again.

Also Sergej, I know that you want to consider this a "security bug" and report
it to "security" teams, and maybe even file a CVE number.  But the reality is
that NULL pointer dereferences rarely have much security impact, and many
"security" teams seem to be wasting so much time with such bugs that they are
ignoring bugs with actual security impact, like the 34 use-after-free bugs that
are currently open in the syzbot dashbard.  So IMO, going through the full
security circus on NULL pointer dereferences is actually detriminal to security.
(Though, they still need to be fixed of course!)

Thanks,

Eric
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux