MOKB-12-11-2006

Bug details
Title: Linux 2.6.x ext2_check_page denial of service
Description: Linux 2.6.x ext2 filesystem code fails to properly handle corrupted data structures, leading to an exploitable denial of service issue when read operation is being done on a crafted fs stream.
Author/Contributor:
References:
Proof of concept or exploit: The following ext2 filesystem image can be used to reproduce the bug: MOKB-12-11-2006.img.bz2
Use a loopback device to mount it: bunzip2 MOKB-12-11-2006.img.bz2 && mount -t ext2 -o loop MOKB-12-11-2006.img /media/test
Debugging information:

The bug has been found using the Linux version of fsfuzzer on a Fedora Core 6 installation, with up to date packages as of 11-11-2006. A read operation is necessary to trigger the bug. The architecture used to conduct the tests is IA32/x86, SMP enabled.

[root@fedora ~]# uname -a
Linux fedora 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16 14:37:32 EDT 2006 i686 i686 i386 GNU/Linux

EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=24576, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=28672, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=32768, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=36864, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=40960, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=45056, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=49152, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=53248, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=57344, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=61440, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=65536, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=69632, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=73728, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=77824, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=81920, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=86016, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=90112, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=94208, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=98304, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=102400, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=106496, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=110592, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=114688, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=118784, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=122880, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=126976, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=131072, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=135168, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=139264, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=143360, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=147456, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop1): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=151552, inode=0, rec_len=0, name_len=0