[vs at NAMESYS.BOTIK.RU: Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)]

Kostas Papadakis kostas2 at easyweb.gr
Wed Jan 10 16:37:01 EET 2001


to parakato to stelno me kathe epifilaksi 

----- Forwarded message from "Vladimir V. Saveliev" <vs at NAMESYS.BOTIK.RU> -----

X-POP3-Rcpt: kostas2.easyweb at mail
Approved-By: beng at SECURITYFOCUS.COM
Delivered-To: bugtraq at lists.securityfocus.com
Delivered-To: BUGTRAQ at SECURITYFOCUS.COM
X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.18 i686)
X-Accept-Language: en
Date:         Wed, 10 Jan 2001 03:56:32 +0300
Reply-To: "Vladimir V. Saveliev" <vs at NAMESYS.BOTIK.RU>
From: "Vladimir V. Saveliev" <vs at NAMESYS.BOTIK.RU>
Subject:      Re: [reiserfs-list] major security bug in reiserfs (may affect
              SuSE Linux)
X-To:         Marc Lehmann <pcg at goof.com>
X-cc:         linux-kernel at vger.kernel.org, reiserfs-list at namesys.com
To: BUGTRAQ at SECURITYFOCUS.COM

Hi

Marc Lehmann wrote:

> We are still investigating, but there seems to be a major security problem
> in at least some versions of reiserfs. Since reiserfs is shipped with
> newer versions of SuSE Linux and the problem is too easy to reproduce and
> VERY dangerous I think alerting people to this problem is in order.
>
> We have tested and verified this problem on a number of different systems
> and kernels 2.2.17/2.2.8 with reiserfs-3.5.28 and probably other versions.
>
> Basically, you do:
>
> mkdir "$(perl -e 'print "x" x 768')"
>
> I.e. create a very long directory. The name doesn't seem to be of
> relevance (we found this out by doing mkdir "$(cat /etc/hosts)" for other
> tests). This works.  The next ls (or echo *) command will segfault and the
> kernel oopses. all following accesses to the volume in question will oops
> and hang the process, even afetr a reboot.
>

Hmm,
mkdir "$(perl -e 'print "x" x 768')"
ls
echo *

works here as it should. (2.2.18 and reiserfs-3.5.29)

Did I miss something?

Thanks,
vs



>
> reiserfsck (the filesystem check program) does _NOT_ detect or solve this
> problem:
>
> Replaying journal..ok
> Checking S+tree..ok
> Comparing bitmaps..ok
>
> But fortunately, rmdir <filename> works and seems to leave the filesystem
> undamaged.
>
> Since a kernel oops results (see below), this indicates a buffer overrun
> (the kernel jumps to address 78787878, which is "xxxx") inside the kernel,
> which is of course very nasty (think ftp-upload!) and certainly gives you
> root access from anywhere, even from inside a chrooted environment. We
> didn't pursue this further.
>
> The best workaround at this time seems to be to uninstall reiserfs
> completely or not allow any user access (even indirect) to these volumes.
> While this individual bug might be easy to fix, we believe that other,
> similar bugs should be easy to find so reiserfs should not be trusted (it
> shouldn't be trusted to full user access for other reasons anyway, but it
> is still widely used).
>
> Unable to handle kernel paging request at virtual address 78787878
> current->tss.cr3 = 0d074000, %cr3 = 0d074000
> *pde = 00000000
> Oops: 0002
> CPU:    0
> EIP:    0010:[<c013f875>]
> EFLAGS: 00010282
> eax: 00000000   ebx: bfffe78c   ecx: 00000000   edx: bfffe78c
> esi: ccbddd62   edi: 78787878   ebp: 00000300   esp: ccbddd3c
> ds: 0018   es: 0018   ss: 0018
> Process bash (pid: 292, process nr: 54, stackpage=ccbdd000)
> Stack: c013f66a ccbddf6c cd100000 ccbddd62 0000030c c0136d49 00000700 00002013
>        00001000 7878030c 78787878 78787878 78787878 78787878 78787878 78787878
>        78787878 78787878 78787878 78787878 78787878 78787878 78787878 78787878
> Call Trace: [<c013f66a>] [<c0136d49>]
> Code: 89 1f 8b 44 24 18 29 47 08 31 c0 5b 5e 5f 5d 81 c4 2c 01 00
>
> --
>       -----==-                                             |
>       ----==-- _                                           |
>       ---==---(_)__  __ ____  __       Marc Lehmann      +--
>       --==---/ / _ \/ // /\ \/ /       pcg at opengroup.org |e|
>       -=====/_/_//_/\_,_/ /_/\_\       XX11-RIPE         --+
>     The choice of a GNU generation                       |
>                                                          |

----- End forwarded message -----

-- 
Kostas Papadakis




More information about the Linux-greek-users mailing list