[1984] in SIPB_Linux_Development
new "inode count" security hole
daemon@ATHENA.MIT.EDU (mhpower@MIT.EDU)
Mon Jan 12 17:09:20 1998
From: mhpower@MIT.EDU
Date: Mon, 12 Jan 1998 17:04:42 -0500
To: net-defense@MIT.EDU, linux-dev@MIT.EDU
Cc: yert@MIT.EDU
There's evidently a newly found vulnerabilty affecting many versions
of Unix that can be exploited by calling link(2) a large number of
times with the same first argument. The only mention I've seen of this
so far is on the linux-kernel mailing list, which I suspect many of
you don't read, so I thought I'd pass along a few of the postings that
discuss this. I don't know of any patches for the problem that have
yet been issued, nor have I seen any exploit programs released.
Matt
------- Forwarded Messages
Date: Mon, 12 Jan 1998 15:22:45 -0500 (EST)
From: James Mastros <root@jennifer-unix.dyn.ml.org>
To: Bill Hawes <whawes@star.net>
cc: Chris Evans <chris@ferret.lmh.ox.ac.uk>, linux-kernel@vger.rutgers.edu
Subject: Re: inode->i_count security hole
Message-ID: <Pine.LNX.3.96.980112143015.3202B-100000@jennifer-unix.dyn.ml.org>
On Mon, 12 Jan 1998, Bill Hawes wrote:
> Chris Evans wrote:
> > I've read about the recently discovered inode counting security hole
> > (ugh). Perhaps its worth a quick audit to see what other counters
> > malicious users could overflow....??
>
> For those of us who haven't heard of this, could you summarize the
> problem with inode counting?
Make a whole bunch of hardlinks to the same file... after you overflow
inode.i_count, Bad Stuff starts to happen.
-=- James Mastros
Message-Id: <m0xrkmx-0005FsC@lightning.swansea.linux.org.uk>
From: alan@lxorguk.ukuu.org.uk (Alan Cox)
Subject: Re: inode->i_count security hole
To: chris@ferret.lmh.ox.ac.uk (Chris Evans)
Date: Mon, 12 Jan 1998 14:24:27 +0000 (GMT)
Cc: linux-kernel@vger.rutgers.edu
> Looking forward to 2.0.34 (with idt mem leak fix? This could be used as a
> local DoS)
Actually you can do better than a DoS attack with it. The fix is to make
i_count a long at the moment.
> PS. Are any other OS's affected by this or similar issues?
A related one kills every Unix we've tested stone dead.
Alan
Date: Mon, 12 Jan 1998 14:39:38 +0000 (GMT)
From: Chris Evans <chris@ferret.lmh.ox.ac.uk>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
cc: linux-kernel@vger.rutgers.edu
Subject: Re: inode->i_count security hole
Message-ID: <Pine.LNX.3.95.980112143515.10256B-100000@ferret.lmh.ox.ac.uk>
On Mon, 12 Jan 1998, Alan Cox wrote:
> > Looking forward to 2.0.34 (with idt mem leak fix? This could be used as a
> > local DoS)
>
> Actually you can do better than a DoS attack with it. The fix is to make
> i_count a long at the moment.
Yes I know its a potential ->root hole. The (potential) DoS I was
referring to is the idt mem leak in arch/i386/process.c
> A related one kills every Unix we've tested stone dead.
Ouch, including OpenBSD? Heh heh heh.
Chris
------- End of Forwarded Messages
