Bug 1087004 - (CVE-2018-1095) VUL-1: CVE-2018-1095: kernel-source: NULL pointer dereference in fs/posix_acl.c:get_acl() causes crash with crafted ext4 image
(CVE-2018-1095)
VUL-1: CVE-2018-1095: kernel-source: NULL pointer dereference in fs/posix_a...
Status: RESOLVED UPSTREAM
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/202739/
CVSSv3:SUSE:CVE-2018-1095:4.4:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-27 05:28 UTC by Marcus Meissner
Modified: 2020-06-16 22:09 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
136.img (2.00 MB, application/octet-stream)
2018-03-27 05:29 UTC, Marcus Meissner
Details
poc.c (3.18 KB, text/plain)
2018-03-27 05:30 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-03-27 05:28:28 UTC
rh#1560793

The Linux kernel through version 4.15 is vulnerable to a NULL pointer dereference in the  fs/posix_acl.c:get_acl()function. A privileged attacker could exploit this to cause a NULL pointer dereference with a crafted ext4 image.


Upstream Bug:

https://bugzilla.kernel.org/show_bug.cgi?id=199185
Comment 1 Marcus Meissner 2018-03-27 05:29:49 UTC
Created attachment 764995 [details]
136.img

QA REPRODUCER:

image for later mounting
Comment 2 Marcus Meissner 2018-03-27 05:30:56 UTC
Created attachment 764996 [details]
poc.c

QA REPRODUCER:

mkdir mnt
mount -t ext4 136.img mnt
gcc -o poc poc.c
./poc ./mnt
Comment 3 Jan Kara 2018-03-29 14:41:39 UTC
Upstream is working on this, I'll watch it and port the fix once the thing is settled.
Comment 4 Jan Kara 2018-05-17 12:50:31 UTC
OK, after checking closer this has been introduced by commit e50e5129f384 ("ext4: xattr-in-inode support") which we don't have in any of our kernels. So nothing to be done from our side.

Reassigning to security team.
Comment 5 Marcus Meissner 2018-05-18 15:13:59 UTC
upstream fixed