[18526] in bugtraq
Re: major security bug in reiserfs (may affect SuSE Linux)
daemon@ATHENA.MIT.EDU (Ben Greenbaum)
Wed Jan 10 14:18:41 2001
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.30.0101100905450.25884-100000@mail>
Date: Wed, 10 Jan 2001 09:14:43 -0800
Reply-To: Ben Greenbaum <bgreenbaum@SECURITYFOCUS.COM>
From: Ben Greenbaum <bgreenbaum@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
summary of responses:
-----------------------------------------
From: Allen Bolderoff <allen@gist.net.au>
latest reiserfs patches and 2.4 kernel is fine here
------------------------------------------------------
From: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>
<john@VMLINUX.NET> wrote:
+-----
| I can't reproduce this.
+--->8
I've just tried it on stock SuSE 6.4 and 7.0 and also cannot reproduce it.
---------------------------------------------
From: "John H. Robinson, IV" <jhriv@ucsd.edu>
[jaqque@osiris:/tmp/chk]% uname -a
Linux osiris 2.2.18 [classified] Sat Jan 6 11:19:04 PST 2001 i586 unknown
[jaqque@osiris:/tmp/chk]% mkdir "$(perl -e 'print "x" x 768')"
no oops, but a directory that cannot be removed.
linux kernel 2.2.18 with reiserfs-3.5.29 patch
---------------------------
From: lloy0076@rebel.net.au
No oops maybe, BUT if you setup an evil script to make so many that the various kernel structures got too full (or it filled the whole partition/disk up) then....
And at 650Mhz my computer could do that quite easily...
----------------------------------------------
From: Torge Szczepanek <bugtraq@szczepanek.de>
I tested it under a fresh install of Suse Linux 7.0 using the Suse Linux
7.0 Standard kernel Version 2.2.16 (includes ReiserFS version 3.5.23).
I could not reproduce a kernel oops
------------------------------------
From: Dj-Ohki <dj-ohki@digipimp.org>
ive tried this on my machines. both over nfs and local reiserfs mounted
dirs. both machines are running 2.4.0-test7 with reiserfs 3.6.14. it
seems not to manifest in this version.
--------------------------------------------
From: Maarten Bukkems <MBukkems@pcl-hage.nl>
Kernel 2.4.0-test11, reiserfs 3.6.19 on SuSE 6.4 doesn't seem to be
vulnerable. (even tried with 2048 chars .. no problem at all)
-----------------------------------
From: Dirk Mueller <dmuell@gmx.net>
If it helps, I'm using 2.2.18+reiserfs-3.5.29+ide-dma patch and I cannot
reproduce ANYTHING said in the referred message. It works perfectly fine.
I was using gcc 2.95.2 to compile the kernel.
------------------------------
From: bugtraq@jedi.claranet.fr
ReiserFS 3.6.24 (kernel 2.4.0ac4) doesn't seem vulnerable to this attack.
No segfault, no kernel oops and proper operations.
But after having discovered such a vulnerability, ReiserFS definitely
needs an audit, because other exploitable buffer overflows may still be
with us in 3.6.x .
readdir() doesn't find the xxxxxxx directory. rm -r x* would give you
ENOENT.
Tests show that such a directory can sucessfully be created, accessed (cd
"$(perl -e 'print "x" x 4032')"), chmod'ed, renamed and deleted. But
readdir() on the parent directory fails to find it. However it may be a
ReiserFS bug (unproper file length limitation) or a VFS bug (unable to deal
with so long names) .
----------------------------------------------------------------------
From: =?iso-8859-2?Q?Magos=E1nyi_=C1rp=E1d?= <mag@bunuel.tii.matav.hu>
Negative. What versions it is reproducible on?
kernel: 2.4.0
disk format: 3.5.x
reiserfs version: 3.6.24
> While this individual bug might be easy to fix, we believe that other,
> similar bugs should be easy to find so reiserfs should not be trusted (it
> shouldn't be trusted to full user access for other reasons anyway, but it
> is still widely used).
>=20
Could you elaborate on it?
------------------------------
