MOKB-07-11-2006

Bug details
Title: Linux 2.6.x zlib_inflate memory corruption
Description: Linux 2.6.x zlib_inflate function can be abused by filesystems that depend on zlib compression, such as cramfs. A failure to handle crafted data, result of a read operation in a corrupted filesystem stream, may lead to memory corruption. This particular vulnerability requires a filesystem (proof of concept for cramfs provided) to fail validation (ex. no integrity checking) of the binary stream in order to reach execution of zlib_inflate().
Author/Contributor:
References:
Proof of concept or exploit: The following cramfs filesystem image can be used to reproduce the bug: MOKB-07-11-2006.img.bz2
Use a loopback device to mount it: bunzip2 MOKB-07-11-2006.img.bz2 && mount -t cramfs -o loop MOKB-07-11-2006.iso /media/test && cat /media/test/* 2>/dev/null 1>&2
Debugging information:

The bug has been found using the Linux version of fsfuzzer on a Fedora Core 6 installation, with up to date packages as of 07-11-2006. A read operation is necessary to trigger the bug. The architecture used to conduct the tests is IA32/x86, SMP enabled.

Related debugging information:

[root@fedora ~]# crash /usr/lib/debug/lib/modules/2.6.18-1.2798.fc6/vmlinux /var/crash/2006-11-07-22\:13/vmcore

crash 4.0-3.3
Copyright (C) 2002, 2003, 2004, 2005, 2006  Red Hat, Inc.
Copyright (C) 2004, 2005, 2006  IBM Corporation
Copyright (C) 1999-2006  Hewlett-Packard Co
Copyright (C) 2005  Fujitsu Limited
Copyright (C) 2005  NEC Corporation
Copyright (C) 1999, 2002  Silicon Graphics, Inc.
Copyright (C) 1999, 2000, 2001, 2002  Mission Critical Linux, Inc.
This program is free software, covered by the GNU General Public License,
and you are welcome to change it and/or distribute copies of it under
certain conditions.  Enter "help copying" to see the conditions.
This program has absolutely no warranty.  Enter "help warranty" for details.

GNU gdb 6.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...

      KERNEL: /usr/lib/debug/lib/modules/2.6.18-1.2798.fc6/vmlinux
    DUMPFILE: /var/crash/2006-11-07-22:13/vmcore
        CPUS: 1
        DATE: Tue Nov  7 22:12:32 2006
      UPTIME: 00:03:01
LOAD AVERAGE: 0.68, 0.46, 0.20
       TASKS: 61
    NODNAE: fedora
     RELEASE: 2.6.18-1.2798.fc6
     VERSION: #1 SMP Mon Oct 16 14:37:32 EDT 2006
     MACHINE: i686  (2799 Mhz)
      MEMORY: 256 MB
       PANIC: "Oops: 0000 [#1]" (check log for details)
         PID: 1976
     COMMAND: "bash"
        TASK: cfd863b0  [THREAD_INFO: cb6d9000]
         CPU: 0
       STATE: TASK_RUNNING (SYSRQ)

crash> log
(...)
SELinux: initialized (dev loop0, type cramfs), uses genfs_contexts
Error -3 while decompressing!
d0aed7cc(977)->cb0a9000(4096)
Error -3 while decompressing!
d0aedb9d(1029)->cb09e000(4096)
Error -3 while decompressing!
d0aedfa2(886)->cb69c000(4096)
Error -3 while decompressing!
d0aee318(864)->cb0a2000(4096)
Error -3 while decompressing!
d0aee678(891)->cb0a5000(4096)
BUG: unable to handle kernel paging request at virtual address db5b0c28 <---------- edx
 printing eip:
c04ea58b
*pde = 00000000
Oops: 0000 [#1]
SMP
last sysfs file: /block/loop3/range
Modules linked in: cramfs loop ipv6 sunrpc ip_conntrack_netbios_ns ipt_REJECT xt_state ip_conntrack
nfnetlink xt_tcpudp iptable_filter ip_tables x_tables video sbs i2c_ec button battery asus_acpi ac
parport_pc lp parport floppy snd_ens1371 gameport snd_rawmidi snd_ac97_codec snd_ac97_bus snd_seq_dummy
snd_seq_oss snd_seq_midi_event snd_seq sg snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer
i2c_piix4 snd soundcore snd_page_alloc i2c_core pcspkr vmxnet(U) pcnet32 mii ide_cd serio_raw cdrom
dm_snapshot dm_zero dm_mirror dm_mod ext3 jbd mptspi scsi_transport_spi mptscsih sd_mod scsi_mod
mptbase
CPU:    0
EIP:    0060:[]    Tainted: P      VLI
EFLAGS: 00010286   (2.6.18-1.2798.fc6 #1)
EIP is at zlib_inflate+0xf8/0x148d
eax: 00000000   ebx: 00000000   ecx: db5b0c28   edx: d0af7000
esi: cb6c2000   edi: db5b0c28   ebp: f553ca78   esp: cb7dec58
ds: 007b   es: 007b   ss: 0068
Process cat (pid: 1946, ti=cb7de000 task=cf88b670 task.ti=cb7de000)
Stack: c07dc77e 00000000 d0af56c0 00000000 cb0e0000 00000007 00000000 00000121
       00000005 d0af56c0 d0af7000 cb7dec90 00000000 db5b0c28 cb6c2000 f553ca77
       00001000 00000000 00000000 cb7decc8 00001000 00000000 00000121 c04c1353
Call Trace:
 [] cramfs_uncompress_block+0x6e/0xb2 [cramfs]
 [] cramfs_readpage+0xc8/0x123 [cramfs]
 [] __do_page_cache_readahead+0x16f/0x1c8
 [] blockable_page_cache_readahead+0x4c/0x9f
 [] page_cache_readahead+0xbf/0x196
 [] do_generic_mapping_read+0x13d/0x49b
 [] __generic_file_aio_read+0x18c/0x1d1
 [] generic_file_read+0xa2/0xb8
 [] vfs_read+0xa6/0x157
 [] sys_read+0x41/0x67
 [] syscall_call+0x7/0xb
DWARF2 unwinder stuck at syscall_call+0x7/0xb
Leftover inexact backtrace:
 =======================
Code: ff e9 07 10 00 00 8b 54 24 28 83 7a 08 00 75 31 c7 02 0c 00 00 00 eb be 83 7c 24 3c 00 0f 84 ea 0f 00 00 8b 4c
24 34 ff 4c 24 3c <0f> b6 01 8a 4c 24 48 ff 44 24 34 83 44 24
48 08 d3 e0 01 44 24
EIP: [] zlib_inflate+0xf8/0x148d SS:ESP 0068:cb7dec58
 <3>BUG: sleeping function called from invalid context at kernel/rwsem.c:20
in_atomic():0, irqs_disabled():1
 [] dump_trace+0x69/0x1af
 [] show_trace_log_lvl+0x18/0x2c
 [] show_trace+0xf/0x11
 [] dump_stack+0x15/0x17
 [] down_read+0x12/0x20
 [] blocking_notifier_call_chain+0xe/0x29
 [] do_exit+0x1b/0x776
 [] die+0x29d/0x2c2
 [] do_page_fault+0x408/0x4db
 [] error_code+0x39/0x40
DWARF2 unwinder stuck at error_code+0x39/0x40
Leftover inexact backtrace:
 [] zlib_inflate+0xf8/0x148d
 [] inode_has_perm+0x5b/0x63
 [] __rmqueue+0x32/0xa2
 [] cramfs_uncompress_block+0x6e/0xb2 [cramfs]
 [] cramfs_readpage+0xc8/0x123 [cramfs]
 [] __do_page_cache_readahead+0x16f/0x1c8
 [] blockable_page_cache_readahead+0x4c/0x9f
 [] page_cache_readahead+0xbf/0x196
 [] do_generic_mapping_read+0x13d/0x49b
 [] __generic_file_aio_read+0x18c/0x1d1
 [] file_read_actor+0x0/0xe0
 [] generic_file_read+0x0/0xb8
 [] generic_file_read+0xa2/0xb8
 [] autoremove_wake_function+0x0/0x35
 [] vfs_read+0xa6/0x157
 [] sys_read+0x41/0x67
 [] syscall_call+0x7/0xb
 =======================
SysRq : Trigger a crashdump

crash> mount
VFSMOUNT SUPERBLK TYPE   DENAE       DINAE
c92537c0 c9258000 rootfs rootfs        /
c9253cc0 cfb38600 ext3   /dev/root     /
c9253c40 cfdc9600 tmpfs  /dev          /dev
c9253bc0 cfd03a00 proc   /proc         /proc
c9253b40 c9258200 sysfs  /sys          /sys
c9253e40 cfe2a800 selinuxfs none          /selinux
c9253ec0 cee5d800 usbfs  /proc/bus/usb /proc/bus/usb
c92530c0 cfe25400 devpts devpts        /dev/pts
c92538c0 cffb0000 ext3   /dev/sda1     /boot
c9253940 cffc2000 tmpfs  tmpfs         /dev/shm
c92539c0 cffb1a00 binfmt_misc none          /proc/sys/fs/binfmt_misc
c9253dc0 cffb0400 rpc_pipefs sunrpc        /var/lib/nfs/rpc_pipefs
c9253a40 cee5d000 cramfs /dev/loop0    /media/test
crash> x/10 0xc04ea58b
0xc04ea58b :  0x8a01b60f      0xff48244c      0x83342444      0x08482444
0xc04ea59b :  0x4401e0d3      0x7c834424      0x760f4824      0x44b60fd0
0xc04ea5ab :  0x548b4424      0xe0c14424
crash> x/10 0xdb5b0c28  <---------- edx
0xdb5b0c28:     gdb: invalid kernel virtual address: db5b0c28  type: "gdb_readmem callback"
crash> ascii db5b0c28   <---------- edx
db5b0c28: ([
crash> rd  0xcb6c2000 50
cb6c2000:  2d77722d 722d2d72 20202d2d 746f6f72   -rw-r--r--  root
cb6c2010:  6f6f7220 79732074 6d657473 6f3a755f    root system_u:o
cb6c2020:  63656a62 3a725f74 666d6f72 20745f73   bject_r:romfs_t
cb6c2030:  20202020 43202020 4959504f 6c0a474e          COPYING.l
cb6c2040:  72787772 77727877 72202078 20746f6f   rwxrwxrwx  root
cb6c2050:  746f6f72 73797320 5f6d6574 626f3a75   root system_u:ob
cb6c2060:  7463656a 723a725f 73666d6f 2020745f   ject_r:romfs_t
cb6c2070:  20202020 4f432020 4e495950 2d0a3247         COPYING2.-
cb6c2080:  722d7772 2d722d2d 7220202d 20746f6f   rw-r--r--  root
cb6c2090:  746f6f72 73797320 5f6d6574 626f3a75   root system_u:ob
cb6c20a0:  7463656a 723a725f 73666d6f 2020745f   ject_r:romfs_t
cb6c20b0:  20202020 72632020 73666d61 7361622e         cramfs.bas
cb6c20c0:  722d0a65 2d727877                     e.-rwxr-
crash> kmem 0xd0af7000
VM_STRUCT     ADDRESS RANGE       SIZE
cb7ff7e0   d0af7000 - d0b03000   49152

  PAGE    PHYSICAL   MAPPING    INDEX CNT FLAGS
c9161800   b0c0000   -------    -----   1 80000000