Mathieu Lafon from Arkoon Network Security discovered the following problem in ext2: when a new directory is created, the ext2 block written to disk is not initialized. An information leak can then be found after the two directory entries ('.' and '..') or in the name buffer of each entry (struct ext2_dir_entry_2). Following fix has been published in 2.6.12-rc1-mm1 : ============================================================== diff -rN -U 5 linux-2.6.10/fs/ext2/dir.c linux-2.6.10-ext2-info-leak-fix/fs/ext2/dir.c --- linux-2.6.10/fs/ext2/dir.c Wed Mar 16 18:16:51 2005 +++ linux-2.6.10-ext2-info-leak-fix/fs/ext2/dir.c Wed Mar 16 18:17:01 2005 @@ -590,10 +590,11 @@ if (err) { unlock_page(page); goto fail; } kaddr = kmap_atomic(page, KM_USER0); + memset(kaddr, 0, chunk_size); de = (struct ext2_dir_entry_2 *)kaddr; de->name_len = 1; de->rec_len = cpu_to_le16(EXT2_DIR_REC_LEN(1)); memcpy (de->name, ".\0\0", 4); de->inode = cpu_to_le32(inode->i_ino); =============================================================
This appears to be a 2.6.x only problem
Fixed in vanilla 2.6.11.6 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.6
mips-sources fixed.
Fixed in gentoo-sources-2.6.11-r6
Fixed in usermode-sources-2.6.11
Fixed in ck-sources-2.6.11-r7
This also affects the 2.4 series. From solar : grsec-sources-2.4.30 is in the tree as ~arch. Note for other bumpers of 2.4.x series. CAN-2004-1056.patch and linux-2.4.28-random-poolsize.patch have never been applied to mainline.
rsbac-sources requires patch.
kang: rsbac-2.6.11-r5 also appears to have a broken fix from upstream. From 1500_rsbac_1.2.4_20050528.patch: ++ memset(kaddr, 0, chunk_size); ... that should be one '+'.
All fixed, closing.
