Linux kernel hfsplus slab-out-of-bounds Write

Outstanding article by Attila Szasz about exploiting a slab out-of-bounds bug in the HFS+ filesystem driver.

The author discovered that Ubuntu allows local (not remote/SSH'd) non-privileged users to mount arbitrary filesystems via udisks2 due to the used polkit rules. This includes filesystems whose mounting normally requires CAP_SYS_ADMIN in the init user namespace.

The article thoroughly describes a variety of techniques used in the exploit, including a cross-cache attack, page_alloc-level memory shaping, arbitrary write via red-black trees, and modprobe_path privilege escalation.

https://ssd-disclosure.com/ssd-advisory-linux-kernel-hfsplus-slab-out-of-bounds-write/

@linkersec New attack surface for Pwn2Own unlocked? 😁

Unprivileged mounting allows reaching a staggering number of bugs in the filesystem drivers; see the syzbot dashboard (click through "Child subsystems"):

https://syzkaller.appspot.com/upstream/s/fs

@linkersec The bug exploited in the article appears to have also been reported by syzbot last year. And looks like it haven't been fixed upsteam yet, only in Ubuntu.

syzbot report: https://syzkaller.appspot.com/bug?extid=5f3a973ed3dfb85a6683
Ubuntu fix: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit?h=Ubuntu-6.8.0-57.59&id=09ad3b1e99befe042ae5219e4020eb54411d98ef

@xairy @linkersec On the logic error side this deck from @gergelykalman also worth a look: https://gergelykalman.com/the-forgotten-art-of-filesystem-magic-alligatorcon-2024-slides.html

@buherator @linkersec @xairy Yeah user mounting is unbelievably dangerous, and it should never be allowed on any modern OS. Unfortunately macOS relies on it really deeply