Bugtraq mailing list archives
Re: major security bug in reiserfs (may affect SuSE Linux)
From: Andreas Ferber <af () DEVCON NET>
Date: Wed, 10 Jan 2001 18:50:33 +0100
Hi, On Wed, Jan 10, 2001 at 12:42:01AM +0100, Marc Lehmann wrote:
We have tested and verified this problem on a number of different systems and kernels 2.2.17/2.2.8 with reiserfs-3.5.28 and probably other versions. Basically, you do: mkdir "$(perl -e 'print "x" x 768')" I.e. create a very long directory. The name doesn't seem to be of relevance (we found this out by doing mkdir "$(cat /etc/hosts)" for other tests). This works. The next ls (or echo *) command will segfault and the kernel oopses. all following accesses to the volume in question will oops and hang the process, even afetr a reboot.
Could not reproduce it on Linux 2.4.0 with ReiserFS 3.6.24. But I found some other strange things (everything tested on the abovementioned versions): If you start increasing the directory name length, everything works fine up to 3377 characters, as is with a length greater than 4032 (mkdir says "File name to long" then). But if you choose a length between (including) 3378 and 4032, weird things happen: "ls" and "echo *" no longer show the directory (the directory is certainly there as you can "cd" into it and "pwd" correctly shows it) If the length is smaller than 3922, you can still show the directory with "find -maxdepth 1" (longer names even disappear from find). Also sometimes other entries in the directory you were creating the overlong name in start disappearing from ls. The only system I could find till now is for filename length <3922 that all files showing up in the find output after the long name are not shown by ls (the position changes if you change the name length, but for one particular length it is constant if you remove and recreate the directory several times) You can tell if a directory with an overlong name exists by looking at the size or the reference count of the parent directory: (630) root@kallisto: /var/spool # mkdir "$(perl -e 'print "x" x 4032')" (631) root@kallisto: /var/spool # ls -ld . drwxr-xr-x 17 root root 4381 Jan 10 17:58 . (632) root@kallisto: /var/spool # rmdir "$(perl -e 'print "x" x 4032')" (633) root@kallisto: /var/spool # ls -ld . drwxr-xr-x 16 root root 333 Jan 10 18:00 . Looks like a nearly perfect place for hiding rootkits or similar things if you manage to create a directory in manner that no other files or directories disappear :-/ Just to make it clear, while doing all this, *no* kernel oops and no segfaults happened, so it doesn't seem to overwrite stack or similar bad things. The software versions used in the tests are: (638) root@kallisto: /var/spool # /lib/libc-2.1.3.so -V GNU C Library stable release version 2.1.3, by Roland McGrath et al. Copyright (C) 1992, 93, 94, 95, 96, 97, 98, 99 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled by GNU CC version 2.95.2 20000220 (Debian GNU/Linux). Compiled on a Linux 2.2.15 system on 2000-09-01. Available extensions: GNU libio by Per Bothner crypt add-on version 2.1 by Michael Glad and others linuxthreads-0.8 by Xavier Leroy BIND-4.9.7-REL NIS(YP)/NIS+ NSS modules 0.19 by Thorsten Kukuk NSS V1 modules 2.0.2 libthread_db work sponsored by Alpha Processor Inc Report bugs using the `glibcbug' script to <bugs () gnu org>. (639) root@kallisto: /var/spool # find --version GNU find version 4.1 (640) root@kallisto: /var/spool # ls --version ls (GNU fileutils) 4.0l Written by Richard Stallman and David MacKenzie. Copyright (C) 1999 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. (641) root@kallisto: /var/spool # bash --version GNU bash, version 2.03.0(1)-release (i386-pc-linux-gnu) Copyright 1998 Free Software Foundation, Inc. Andreas -- Andreas Ferber - dev/consulting GmbH - Bielefeld, FRG --------------------------------------------------------- +49 521 1365800 - af () devconsult de - www.devconsult.de
Attachment:
_bin
Description:
Current thread:
- major security bug in reiserfs (may affect SuSE Linux) Marc Lehmann (Jan 09)
- Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux) John Morrison (Jan 09)
- Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux) Chris Mason (Jan 09)
- Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux) Vladimir V. Saveliev (Jan 09)
- Re: major security bug in reiserfs (may affect SuSE Linux) Andreas Ferber (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Mark Glines (Jan 12)
- Re: major security bug in reiserfs (may affect SuSE Linux) Jack Coates (Jan 12)
- Re: major security bug in reiserfs (may affect SuSE Linux) Gigi Sullivan (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Christian Zuckschwerdt (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Ryan Russell (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Christian Zuckschwerdt (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Felix von Leitner (Jan 12)
- Re: major security bug in reiserfs (may affect SuSE Linux) Ryan Russell (Jan 10)
- <Possible follow-ups>
- Re: major security bug in reiserfs (may affect SuSE Linux) Marc Lehmann (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Ben Greenbaum (Jan 10)
- Re: major security bug in reiserfs (may affect SuSE Linux) Thomas Mangin (Jan 12)