Bugtraq mailing list archives
PATCH: Fix for linux 2.0.x -ve truncation problem
From: chris () CYBERNET CO NZ (Chris Wedgwood)
Date: Mon, 19 Apr 1999 11:50:25 +1200
--DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii On Thu, Apr 15, 1999 at 09:06:42PM +0200, Mixter wrote:
That program you wrote is very scary :) Any user can create files on any kind of partition with a "negative" size (ie. with wrong file structure information). IMO, this is a problem of a linux x86 kernel instruction..
linux-2.0.33: open("/tmp/blah", O_RDWR|O_CREAT, 0600) = 3 fchmod(3, 0666) = 0 ftruncate(3, 4294067296) = 0 fsync(3) = 0 looking at the 2.0.36 source, there is no check in fs/open.c:do_truncate so I assume it too is vulnerable (I don't have a machine spare that I can break to test this on). Recent linux 2.2.x kernels seem OK: open("blah", O_RDWR|O_CREAT, 0600) = 3 fchmod(3, 0666) = 0 ftruncate(3, 4294067296) = -1 EINVAL (Invalid argument) fsync(3) = 0 A patch to fix 2.0.x this is appended below (against 2.0.36). Its just a cut and paste of the relevant code from recent kernels, I assume it works, not tested but I can't see how it can fail... -Chris --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="2.0.36-do_truncate-fix.patch" --- linux/fs/open.c~ Sat Nov 30 23:21:19 1996 +++ linux/fs/open.c Mon Apr 19 12:44:47 1999 @@ -68,6 +68,11 @@ int error; struct iattr newattrs; + + /* Not pretty: "inode->i_size" shouldn't really be "off_t". But it is. */ + if ((off_t) length < 0) + return -EINVAL; + down(&inode->i_sem); newattrs.ia_size = length; newattrs.ia_valid = ATTR_SIZE | ATTR_CTIME; --DocE+STaALJfprDB--
Current thread:
- Re: Large size file and Midnight/bug in crontab with this file Mixter (Apr 15)
- PATCH: Fix for linux 2.0.x -ve truncation problem Chris Wedgwood (Apr 18)
- Re: PATCH: Fix for linux 2.0.x -ve truncation problem Chris Wedgwood (Apr 18)
- new syslogd exploits? Ry Jones (Apr 18)
- Buffer overflow in BASH Wojciech Purczynski (Apr 19)
- Re: Buffer overflow in BASH Chet Ramey (Apr 19)
- PATCH: Fix for linux 2.0.x -ve truncation problem Chris Wedgwood (Apr 18)