First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 86258
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Thierry Carrez (RETIRED) <koon@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 86258 depends on: Show dependency tree
Show dependency graph
Bug 86258 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-03-22 06:36 0000 
Mathieu Lafon from Arkoon Network Security discovered the following problem in
ext2: when a new directory is created, the ext2 block written to disk is not 
initialized. An information leak can then be found after the two directory
entries ('.'  and '..') or in the name buffer of each entry (struct
ext2_dir_entry_2).

Following fix has been published in 2.6.12-rc1-mm1 :

==============================================================
diff -rN -U 5 linux-2.6.10/fs/ext2/dir.c 
linux-2.6.10-ext2-info-leak-fix/fs/ext2/dir.c
--- linux-2.6.10/fs/ext2/dir.c  Wed Mar 16 18:16:51 2005
+++ linux-2.6.10-ext2-info-leak-fix/fs/ext2/dir.c       Wed Mar 16 
18:17:01 2005
@@ -590,10 +590,11 @@
        if (err) {
                unlock_page(page);
                goto fail;
        }
        kaddr = kmap_atomic(page, KM_USER0);
+       memset(kaddr, 0, chunk_size);
        de = (struct ext2_dir_entry_2 *)kaddr;
        de->name_len = 1;
        de->rec_len = cpu_to_le16(EXT2_DIR_REC_LEN(1));
        memcpy (de->name, ".\0\0", 4);
        de->inode = cpu_to_le32(inode->i_ino);
=============================================================

------- Comment #1 From solar 2005-03-22 07:21:20 0000 ------- 
This appears to be a 2.6.x only problem

------- Comment #2 From Thierry Carrez (RETIRED) 2005-03-26 09:20:02 0000 ------- 
Fixed in vanilla 2.6.11.6
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.6

------- Comment #3 From Joshua Kinard 2005-04-23 22:27:19 0000 ------- 
mips-sources fixed.

------- Comment #4 From Daniel Drake 2005-04-27 13:43:00 0000 ------- 
Fixed in gentoo-sources-2.6.11-r6

------- Comment #5 From Daniel Drake 2005-04-29 17:39:56 0000 ------- 
Fixed in usermode-sources-2.6.11

------- Comment #6 From Daniel Drake 2005-05-10 15:32:47 0000 ------- 
Fixed in ck-sources-2.6.11-r7

------- Comment #7 From Thierry Carrez (RETIRED) 2005-05-23 04:58:01 0000 ------- 
This also affects the 2.4 series.

From solar :
grsec-sources-2.4.30 is in the tree as ~arch.

Note for other bumpers of 2.4.x series.
CAN-2004-1056.patch and linux-2.4.28-random-poolsize.patch have never 
been applied to mainline.

------- Comment #8 From Tim Yamin (RETIRED) 2005-08-20 11:14:12 0000 ------- 
rsbac-sources requires patch.

------- Comment #9 From Tim Yamin (RETIRED) 2005-08-20 12:03:31 0000 ------- 
kang: rsbac-2.6.11-r5 also appears to have a broken fix from upstream. From
1500_rsbac_1.2.4_20050528.patch:

++       memset(kaddr, 0, chunk_size);

... that should be one '+'.

------- Comment #10 From Tim Yamin (RETIRED) 2005-11-26 02:30:31 0000 ------- 
All fixed, closing.
First Last Prev Next    No search results available      Search page      Enter new bug