ISO9660 handling flaws.
Andrew
virgule88 at videotron.ca
Sun Mar 20 15:37:20 MST 2005
I've been reading this articles: <http://lwn.net/Articles/128365/> and
executed the 'trivial fuzz script' and it crashed (or is it a bug in the
code? me clueless ;) ). Here is the output it generated:
[*] Compiling mangler...
[*] Preparing ISO master (feel free to alter this code)...
[*] Creating image (alter filesystem or parameters as needed)...
[*] STRESS TEST PHASE...
File unit size != 0 for ISO file (1792).
Oops: kernel access of bad area, sig: 11 [#1]
NIP: C0017368 LR: C0017330 SP: C2EEF1F0 REGS: c2eef140 TRAP: 0300 Not
tainted
MSR: 00001432 EE: 0 PR: 0 FP: 0 ME: 1 IR/DR: 11
DAR: 000000EB, DSISR: 40000000
TASK = ca4b7710[22066] 'mount' THREAD: c2eee000
Last syscall: 21
GPR00: 00000000 C2EEF1F0 CA4B7710 00000001 00000100 00000190 C2EEF0B4
00000000
GPR08: C0470000 00000000 C0300000 00000000 4210C0A4 1002810C 10020000
00000000
GPR16: C2EEF470 00000000 00000000 C0470000 CE530E60 D3C18360 3C000021
00000000
GPR24: 000000ED CE530E80 C0310000 C0320000 000000EB 00000000 C0350000
C2EEF470
NIP [c0017368] xmon+0x424/0x1aac
LR [c0017330] xmon+0x3ec/0x1aac
Call trace:
[c000f3fc] bad_page_fault+0x90/0x94
[c0004968] handle_page_fault+0x7c/0x80
[c0017330] xmon+0x3ec/0x1aac
[c000f3fc] bad_page_fault+0x90/0x94
[c0004968] handle_page_fault+0x7c/0x80
[c0017330] xmon+0x3ec/0x1aac
[c000f3fc] bad_page_fault+0x90/0x94
[c0004968] handle_page_fault+0x7c/0x80
[c00cd2d0] parse_rock_ridge_inode_internal+0x1c0/0x710
[c00cd840] parse_rock_ridge_inode+0x20/0x74
[c00cb398] isofs_read_inode+0x350/0x67c
[c00cb7dc] isofs_iget+0x8c/0xac
[c00cc030] isofs_fill_super+0x834/0x9ac
[c0069868] get_sb_bdev+0x14c/0x1d0
[c00cad4c] isofs_get_sb+0x18/0x28
Interleaved files not (yet) supported.
ISO 9660 Extensions: Microsoft Joliet Level 3
ISO 9660 Extensions: RRIP_1¨91A
ISO 9660 Extensions: Microsoft Joliet Level 3
Interleaved files not (yet) supported.
ISO 9660 Extensions: RRIP_1991A
ISO 9660 Extensions: Microsoft Joliet Level 3
ISO 9660 Extensions: RRIP_1991A
ISO 9660 Extensions: Microsoft Joliet Level 3
Interleaved files not (yet) supported.
ISOFS: changing to secondary root
Bad logical zone size 2197
ISO 9660 Extensions: Microsoft Joliet Level 3
Oops: kernel access of bad area, sig: 11 [#2]
NIP: C0011518 LR: C00CD2F8 SP: C22D9B80 REGS: c22d9ad0 TRAP: 0300 Not
tainted
MSR: 00009432 EE: 1 PR: 0 FP: 0 ME: 1 IR/DR: 11
DAR: AEF07000, DSISR: 40000000
TASK = c5e220f0[22378] 'mount' THREAD: c22d8000
Last syscall: 21
GPR00: 00000000 C22D9B80 C5E220F0 C41ADAA0 AEF06FFC 000000ED C41ADA9C
0000001D
GPR08: C22D9B24 C968DCF0 00000002 00000001 0AE977B9 1002810C 10020000
00000000
GPR16: 00000000 00000000 00000000 00000000 CE530048 C41ADAA0 E5000000
00000000
GPR24: 000000ED CE530068 0000001C CE530048 00000002 C968DCF0 000000ED
C9F06088
NIP [c0011518] memcpy+0x1c/0x9c
LR [c00cd2f8] parse_rock_ridge_inode_internal+0x1e8/0x710
Call trace:
[c00cd840] parse_rock_ridge_inode+0x20/0x74
[c00cb398] isofs_read_inode+0x350/0x67c
[c00cb7dc] isofs_iget+0x8c/0xac
[c00cc030] isofs_fill_super+0x834/0x9ac
[c0069868] get_sb_bdev+0x14c/0x1d0
[c00cad4c] isofs_get_sb+0x18/0x28
[c0069058] do_kern_mount+0x64/0x138
[c0082548] do_mount+0x3a4/0x69c
[c00828e4] sys_mount+0xa4/0xf4
[c0004420] ret_from_syscall+0x0/0x44
[+] Something found (/tmp/cd-mod.iso)...
Thats all. System was basicly 'dead' at this point. I blindly typed
'sudo killall *' and system resurrected (aint that fun?) Then this last
line appeared in the terminal:
./ISO_fs_exploit: line 63: 22378 Segmentation fault mount -t iso9660
-o loop,ro /tmp/cd_mod.iso "$DIR" 2>/dev/null
I understand this test script is meant to be executed on kernel-2.6.11.5
but it failed anyway. I take it as our current kernel (2.6.10-1.ydl.1)
is vulnerable.
More information about the yellowdog-general
mailing list