Re: Small exposure in ocfs2 fast symlinks.

[Josh Bressers <bressers () redhat com>]

----- "Joel Becker" <Joel.Becker () oracle com> wrote:

> Hey Everyone,
>       We just discovered that ocfs2 could walk off the end of fast symlinks
>       -- that is, symlinks that are stored directly in the inode block.
>       ocfs2 terminates these with NUL characters, but a disk corruption or an
>       attacker with direct access to the ocfs2 disk could overwrite the NUL.
>       Following the symlink via the filesystem would walk off the end of the
>       in-memory block buffer.  We're not sure how exploitable this is, but I
>       figured I'd provide a heads-up.  The fix is in ocfs2's git tree and
>       will be sent upstream tonight.  Erratas with the fix are being built.
>       If someone thinks we should have a CVE, please provide me with the
>       number.  Otherwise, just FYI.

Unless someone asks for an ID, I don't plan to give this one. I dare say if
an attacker can modify the disk directly, you probably have far bigger
worries here than following symlinks.

Thanks.

-- 
    JB