oss-sec mailing list archives
Small exposure in ocfs2 fast symlinks.
From: Joel Becker <Joel.Becker () oracle com>
Date: Wed, 29 Sep 2010 19:04:07 -0700
Hey Everyone,
We just discovered that ocfs2 could walk off the end of fast
symlinks -- that is, symlinks that are stored directly in the inode
block. ocfs2 terminates these with NUL characters, but a disk
corruption or an attacker with direct access to the ocfs2 disk could
overwrite the NUL. Following the symlink via the filesystem would walk
off the end of the in-memory block buffer. We're not sure how
exploitable this is, but I figured I'd provide a heads-up. The fix is
in ocfs2's git tree and will be sent upstream tonight. Erratas with the
fix are being built.
If someone thinks we should have a CVE, please provide me with
the number. Otherwise, just FYI.
Joel
--
Life's Little Instruction Book #267
"Lie on your back and look at the stars."
Joel Becker
Consulting Software Developer
Oracle
E-mail: joel.becker () oracle com
Phone: (650) 506-8127
Current thread:
- Small exposure in ocfs2 fast symlinks. Joel Becker (Sep 29)
- Re: Small exposure in ocfs2 fast symlinks. Greg KH (Sep 29)
- Re: Small exposure in ocfs2 fast symlinks. Joel Becker (Sep 30)
- Re: Small exposure in ocfs2 fast symlinks. Greg KH (Sep 29)