oss-sec mailing list archives
Re: Small exposure in ocfs2 fast symlinks.
From: Josh Bressers <bressers () redhat com>
Date: Mon, 4 Oct 2010 15:05:12 -0400 (EDT)
----- "Joel Becker" <Joel.Becker () oracle com> wrote:
Hey Everyone, We just discovered that ocfs2 could walk off the end of fast symlinks -- that is, symlinks that are stored directly in the inode block. ocfs2 terminates these with NUL characters, but a disk corruption or an attacker with direct access to the ocfs2 disk could overwrite the NUL. Following the symlink via the filesystem would walk off the end of the in-memory block buffer. We're not sure how exploitable this is, but I figured I'd provide a heads-up. The fix is in ocfs2's git tree and will be sent upstream tonight. Erratas with the fix are being built. If someone thinks we should have a CVE, please provide me with the number. Otherwise, just FYI.
Unless someone asks for an ID, I don't plan to give this one. I dare say if an attacker can modify the disk directly, you probably have far bigger worries here than following symlinks. Thanks. -- JB
Current thread:
- Re: Small exposure in ocfs2 fast symlinks. Joel Becker (Oct 01)
- <Possible follow-ups>
- Re: Small exposure in ocfs2 fast symlinks. Josh Bressers (Oct 04)