[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
Reiserfs BUG

To: linux-india-help@xxxxxxxxxxxxxxxxxxxxx
Subject: Reiserfs BUG
From: "dodobh@xxxxxxxxxxx" <dodobh@xxxxxxxxxxx>
Date: Tue, 9 Jan 2001 23:40:07 -0800
Cc: linuxers@xxxxxxxxxxxxxxx
This looks like a rather urgent and dangerous bug.
Please disable RieserFS on machines exposed to the net
-----------Forwarded Message----------------
Return-Path: <owner-bugtraq@xxxxxxxxxxxxxxxxx>
Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68])
 by ns2.worldgatein.com (8.9.3/8.9.3) with ESMTP id IAA05047
 for <devdas@xxxxxxxxxxxxxxx>; Wed, 10 Jan 2001 08:20:32 +0530
Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68])
 by lists.securityfocus.com (Postfix) with ESMTP
 id B0EF224CC25; Tue, 9 Jan 2001 17:56:30 -0800 (PST)
Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
 (LISTSERV-TCP/IP release 1.8d) with spool id 22338382 for
 BUGTRAQ@xxxxxxxxxxxxxxxxxxxxxxx; Tue, 9 Jan 2001 17:55:41 -0800
Approved-By: beng@xxxxxxxxxxxxxxxxx
Delivered-To: bugtraq@xxxxxxxxxxxxxxxxxxxxxxx
Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by
 lists.securityfocus.com (Postfix) with SMTP id 24B9924D081 for
 <bugtraq@xxxxxxxxxxxxxxxxxxxxxxx>; Tue, 9 Jan 2001 15:39:49 -0800
 (PST)
Received: (qmail 21864 invoked by alias); 9 Jan 2001 23:39:52 -0000
Delivered-To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Received: (qmail 21841 invoked from network); 9 Jan 2001 23:39:51 -0000
Received: from islay.mach.uni-karlsruhe.de (HELO mailout.plan9.de)
 (129.13.162.92) by mail.securityfocus.com with SMTP; 9 Jan 2001
 23:39:51 -0000
Received: from cerebro ([10.0.0.1] helo=mail.plan9.de ident=schmorp) by
 mailout.plan9.de with esmtp (Exim 3.20 #1) id 14G8P6-0004dq-00; Wed,
 10 Jan 2001 00:42:12 +0100
Received: from root by mail.plan9.de with local (Exim 3.20 #1) id
 14G8Ov-000079-00; Wed, 10 Jan 2001 00:42:01 +0100
Mail-Followup-To: BUGTRAQ@xxxxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx,
 reiserfs-list@xxxxxxxxxxx
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Operating-System: Linux version 2.2.18 (root@cerebro) (gcc version
 pgcc-2.95.2.1 20001224 (release))
X-Copyright: copyright 2000 Marc Alexander Lehmann - all rights reserved
Message-ID: <20010110004201.A308@xxxxxxxxxxxxxxx>
Date: Wed, 10 Jan 2001 00:42:01 +0100
Reply-To: Marc Lehmann <pcg@xxxxxxxx>
Sender: Bugtraq List <BUGTRAQ@xxxxxxxxxxxxxxxxx>
From: Marc Lehmann <pcg@xxxxxxxx>
Subject: major security bug in reiserfs (may affect SuSE Linux)
X-To: linux-kernel@xxxxxxxxxxxxxxx, reiserfs-list@xxxxxxxxxxx
To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Status: R 
X-Status: N


We are still investigating, but there seems to be a major security problem
in at least some versions of reiserfs. Since reiserfs is shipped with
newer versions of SuSE Linux and the problem is too easy to reproduce and
VERY dangerous I think alerting people to this problem is in order.

We have tested and verified this problem on a number of different systems
and kernels 2.2.17/2.2.8 with reiserfs-3.5.28 and probably other versions.

Basically, you do:

mkdir "$(perl -e 'print "x" x 768')"

I.e. create a very long directory. The name doesn't seem to be of
relevance (we found this out by doing mkdir "$(cat /etc/hosts)" for other
tests). This works.  The next ls (or echo *) command will segfault and the
kernel oopses. all following accesses to the volume in question will oops
and hang the process, even afetr a reboot.

reiserfsck (the filesystem check program) does _NOT_ detect or solve this
problem:

Replaying journal..ok
Checking S+tree..ok
Comparing bitmaps..ok

But fortunately, rmdir <filename> works and seems to leave the filesystem
undamaged.

Since a kernel oops results (see below), this indicates a buffer overrun
(the kernel jumps to address 78787878, which is "xxxx") inside the kernel,
which is of course very nasty (think ftp-upload!) and certainly gives you
root access from anywhere, even from inside a chrooted environment. We
didn't pursue this further.

The best workaround at this time seems to be to uninstall reiserfs
completely or not allow any user access (even indirect) to these volumes.
While this individual bug might be easy to fix, we believe that other,
similar bugs should be easy to find so reiserfs should not be trusted (it
shouldn't be trusted to full user access for other reasons anyway, but it
is still widely used).

Unable to handle kernel paging request at virtual address 78787878
current->tss.cr3 = 0d074000, %cr3 = 0d074000
*pde = 00000000
Oops: 0002
CPU:    0
EIP:    0010:[<c013f875>]
EFLAGS: 00010282
eax: 00000000   ebx: bfffe78c   ecx: 00000000   edx: bfffe78c
esi: ccbddd62   edi: 78787878   ebp: 00000300   esp: ccbddd3c
ds: 0018   es: 0018   ss: 0018
Process bash (pid: 292, process nr: 54, stackpage=ccbdd000)
Stack: c013f66a ccbddf6c cd100000 ccbddd62 0000030c c0136d49 00000700 00002013
00001000 7878030c 78787878 78787878 78787878 78787878 78787878 78787878
78787878 78787878 78787878 78787878 78787878 78787878 78787878 78787878
Call Trace: [<c013f66a>] [<c0136d49>]
Code: 89 1f 8b 44 24 18 29 47 08 31 c0 5b 5e 5f 5d 81 c4 2c 01 00


--
-----==-                                             |
----==-- _                                           |
---==---(_)__  __ ____  __       Marc Lehmann      +--
--==---/ / _ \/ // /\ \/ /       pcg@xxxxxxxxxxxxx |e|
-=====/_/_//_/\_,_/ /_/\_\       XX11-RIPE         --+
The choice of a GNU generation                       |
|





------------------------------------------------------------
For Valentine's Day shop by Brand, Product, Price, Store and Location!
http://shop.storerunner.com/shop.asp?pdef=home&trsid=3080
Prev by Subject: Re: Regarding the Indian FTP Mirrors for linux
Next by Subject: REQUIRE EXPERT LINUX SUPPORTERS AT MUMBAI-THANE-PUNE (fwd)
Previous by thread: Multiple gateway address?
Next by thread: COMMERCIAL: Development kit from Korea...
Index(es):
- Subject
- Thread