Re: Small exposure in ocfs2 fast symlinks.

[Joel Becker <Joel.Becker () oracle com>]

On Thu, Sep 30, 2010 at 10:32:14PM +0800, Eugene Teo wrote:
> On 09/30/2010 01:49 PM, Joel Becker wrote:
> > On Wed, Sep 29, 2010 at 08:30:09PM -0700, Greg KH wrote:
> > > On Wed, Sep 29, 2010 at 07:04:07PM -0700, Joel Becker wrote:
> > > > Hey Everyone,
> > > >   We just discovered that ocfs2 could walk off the end of fast
> > > > symlinks -- that is, symlinks that are stored directly in the inode
> > > > block.  ocfs2 terminates these with NUL characters, but a disk
> > > > corruption or an attacker with direct access to the ocfs2 disk could
> > > > overwrite the NUL.  Following the symlink via the filesystem would walk
> > > > off the end of the in-memory block buffer.  We're not sure how
> > > > exploitable this is, but I figured I'd provide a heads-up.  The fix is
> > > > in ocfs2's git tree and will be sent upstream tonight.  Erratas with the
> > > > fix are being built.
> > >
> > > Care to send the git commit id to the stable () kernel org tree when it
> > > hits Linus's tree so it gets backported there?
> >
> >     I Cc'd stable () kernel org in the commit, don't worry ;-)
>
> Thanks, please also cc oss-sec when the commit hash is available.

        The commit hash in Linus's tree is
1fc8a117865b54590acd773a55fbac9221b018f0.  This problem only exists from
2.6.30 onwards; it is not present in older kernels.

Joel

-- 

"In the long run...we'll all be dead."
                                        -Unknown

Joel Becker
Consulting Software Developer
Oracle
E-mail: joel.becker () oracle com
Phone: (650) 506-8127