Re: major security bug in reiserfs (may affect SuSE Linux)

[Ben Greenbaum <bgreenbaum () SECURITYFOCUS COM>]

summary of responses:

-----------------------------------------
From: Allen Bolderoff <allen () gist net au>

latest reiserfs patches and 2.4 kernel is fine here

------------------------------------------------------
From: "Brandon S. Allbery KF8NH" <allbery () ece cmu edu>

<john () VMLINUX NET> wrote:
+-----
| I can't reproduce this.
+--->8

I've just tried it on stock SuSE 6.4 and 7.0 and also cannot reproduce it.

---------------------------------------------
From: "John H. Robinson, IV" <jhriv () ucsd edu>

[jaqque@osiris:/tmp/chk]% uname -a
Linux osiris 2.2.18 [classified] Sat Jan 6 11:19:04 PST 2001 i586 unknown
[jaqque@osiris:/tmp/chk]% mkdir "$(perl -e 'print "x" x 768')"

no oops, but a directory that cannot be removed.
linux kernel 2.2.18 with reiserfs-3.5.29 patch

---------------------------
From: lloy0076 () rebel net au

No oops maybe, BUT if you setup an evil script to make so many that the various kernel structures got too full (or it 
filled the whole partition/disk up) then....
And at 650Mhz my computer could do that quite easily...

----------------------------------------------
From: Torge Szczepanek <bugtraq () szczepanek de>

I tested it under a fresh install of Suse Linux 7.0 using the Suse Linux
7.0 Standard kernel Version 2.2.16 (includes ReiserFS version 3.5.23).

I could not reproduce a kernel oops

------------------------------------
From: Dj-Ohki <dj-ohki () digipimp org>

ive tried this on my machines. both over nfs and local reiserfs mounted
dirs.  both machines are running 2.4.0-test7 with reiserfs 3.6.14.  it
seems not to manifest in this version.

--------------------------------------------
From: Maarten Bukkems <MBukkems () pcl-hage nl>

Kernel 2.4.0-test11, reiserfs 3.6.19 on SuSE 6.4 doesn't seem to be
vulnerable. (even tried with 2048 chars .. no problem at all)


-----------------------------------
From: Dirk Mueller <dmuell () gmx net>

If it helps, I'm using 2.2.18+reiserfs-3.5.29+ide-dma patch and I cannot
reproduce ANYTHING said in the referred message. It works perfectly fine.
I was using gcc 2.95.2 to compile the kernel.

------------------------------
From: bugtraq () jedi claranet fr

  ReiserFS 3.6.24 (kernel 2.4.0ac4) doesn't seem vulnerable to this attack.
No segfault, no kernel oops and proper operations.
  But after having discovered such a vulnerability, ReiserFS definitely
needs an audit, because other exploitable buffer overflows may still be
with us in 3.6.x .

readdir() doesn't find the xxxxxxx directory. rm -r x* would give you
ENOENT.

  Tests show that such a directory can sucessfully be created, accessed (cd
"$(perl -e 'print "x" x 4032')"), chmod'ed, renamed and deleted. But
readdir() on the parent directory fails to find it. However it may be a
ReiserFS bug (unproper file length limitation) or a VFS bug (unable to deal
with so long names) .

----------------------------------------------------------------------
From: =?iso-8859-2?Q?Magos=E1nyi_=C1rp=E1d?= <mag () bunuel tii matav hu>

Negative. What versions it is reproducible on?

kernel: 2.4.0
disk format: 3.5.x
reiserfs version: 3.6.24

> While this individual bug might be easy to fix, we believe that other,
> similar bugs should be easy to find so reiserfs should not be trusted (it
> shouldn't be trusted to full user access for other reasons anyway, but it
> is still widely used).
> =20

Could you elaborate on it?

------------------------------