[10255] in bugtraq
Re: Large size file and Midnight/bug in crontab with this file
daemon@ATHENA.MIT.EDU (Mixter)
Fri Apr 16 16:40:44 1999
Date: Thu, 15 Apr 1999 21:06:42 +0200
Reply-To: Mixter <mixter@POPMAIL.COM>
From: Mixter <mixter@POPMAIL.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990415061608.19503.qmail@lighting.ml.org>
On Thu, 15 Apr 1999, Maurycy Prodeus wrote:
> With negative size , but really it is a very large size ;-) ( very strange
> that even in kernel 2.2.5 it is posible )
That program you wrote is very scary :)
Any user can create files on any kind of partition with a
"negative" size (ie. with wrong file structure information).
IMO, this is a problem of a linux x86 kernel instruction..
ftruncate() :
movl %ebx,%edx
movl 0x8(%esp,1),%ecx
movl 0x4(%esp,1),%ebx
movl $0x5d,%eax
int $0x80
movl %edx,%ebx
cmpl $0xfffff001,%eax
jae 0x804ccf0 <__syscall_error>
ret
This is a sample interrupt which truncates a file belonging to
a file descriptor to any size, including negative, unchecked...
Doing this on a EXT2 fs will get you the error:
EXT2-fs warning (device 03:03): ext2_getblk: block < 0
Any further write access causes the same error... I think
that alot of programs are not prepared for "negative"-size files
and could encounter race conditions, panics, segfaults with this.
The ability of creating such files should be disabled in further
linux kernel releases (anyone tried this on BSD, SunOS etc. yet?).
Mixter
