Bugtraq mailing list archives
Re: major security bug in reiserfs (may affect SuSE Linux)
From: Ben Greenbaum <bgreenbaum () SECURITYFOCUS COM>
Date: Wed, 10 Jan 2001 09:14:43 -0800
summary of responses: ----------------------------------------- From: Allen Bolderoff <allen () gist net au> latest reiserfs patches and 2.4 kernel is fine here ------------------------------------------------------ From: "Brandon S. Allbery KF8NH" <allbery () ece cmu edu> <john () VMLINUX NET> wrote: +----- | I can't reproduce this. +--->8 I've just tried it on stock SuSE 6.4 and 7.0 and also cannot reproduce it. --------------------------------------------- From: "John H. Robinson, IV" <jhriv () ucsd edu> [jaqque@osiris:/tmp/chk]% uname -a Linux osiris 2.2.18 [classified] Sat Jan 6 11:19:04 PST 2001 i586 unknown [jaqque@osiris:/tmp/chk]% mkdir "$(perl -e 'print "x" x 768')" no oops, but a directory that cannot be removed. linux kernel 2.2.18 with reiserfs-3.5.29 patch --------------------------- From: lloy0076 () rebel net au No oops maybe, BUT if you setup an evil script to make so many that the various kernel structures got too full (or it filled the whole partition/disk up) then.... And at 650Mhz my computer could do that quite easily... ---------------------------------------------- From: Torge Szczepanek <bugtraq () szczepanek de> I tested it under a fresh install of Suse Linux 7.0 using the Suse Linux 7.0 Standard kernel Version 2.2.16 (includes ReiserFS version 3.5.23). I could not reproduce a kernel oops ------------------------------------ From: Dj-Ohki <dj-ohki () digipimp org> ive tried this on my machines. both over nfs and local reiserfs mounted dirs. both machines are running 2.4.0-test7 with reiserfs 3.6.14. it seems not to manifest in this version. -------------------------------------------- From: Maarten Bukkems <MBukkems () pcl-hage nl> Kernel 2.4.0-test11, reiserfs 3.6.19 on SuSE 6.4 doesn't seem to be vulnerable. (even tried with 2048 chars .. no problem at all) ----------------------------------- From: Dirk Mueller <dmuell () gmx net> If it helps, I'm using 2.2.18+reiserfs-3.5.29+ide-dma patch and I cannot reproduce ANYTHING said in the referred message. It works perfectly fine. I was using gcc 2.95.2 to compile the kernel. ------------------------------ From: bugtraq () jedi claranet fr ReiserFS 3.6.24 (kernel 2.4.0ac4) doesn't seem vulnerable to this attack. No segfault, no kernel oops and proper operations. But after having discovered such a vulnerability, ReiserFS definitely needs an audit, because other exploitable buffer overflows may still be with us in 3.6.x . readdir() doesn't find the xxxxxxx directory. rm -r x* would give you ENOENT. Tests show that such a directory can sucessfully be created, accessed (cd "$(perl -e 'print "x" x 4032')"), chmod'ed, renamed and deleted. But readdir() on the parent directory fails to find it. However it may be a ReiserFS bug (unproper file length limitation) or a VFS bug (unable to deal with so long names) . ---------------------------------------------------------------------- From: =?iso-8859-2?Q?Magos=E1nyi_=C1rp=E1d?= <mag () bunuel tii matav hu> Negative. What versions it is reproducible on? kernel: 2.4.0 disk format: 3.5.x reiserfs version: 3.6.24
While this individual bug might be easy to fix, we believe that other, similar bugs should be easy to find so reiserfs should not be trusted (it shouldn't be trusted to full user access for other reasons anyway, but it is still widely used). =20
Could you elaborate on it? ------------------------------
Current thread:
- Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux), (continued)
- Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux) Vladimir V. Saveliev (Jan 09)
- Re: major security bug in reiserfs (may affect SuSE Linux) Andreas Ferber (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Mark Glines (Jan 12)
- Re: major security bug in reiserfs (may affect SuSE Linux) Jack Coates (Jan 12)
- Re: major security bug in reiserfs (may affect SuSE Linux) Gigi Sullivan (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Christian Zuckschwerdt (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Ryan Russell (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Christian Zuckschwerdt (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Felix von Leitner (Jan 12)
- Re: major security bug in reiserfs (may affect SuSE Linux) Ryan Russell (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Marc Lehmann (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Ben Greenbaum (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Thomas Mangin (Jan 12)