* major security bug in reiserfs (may affect SuSE Linux)
@ 2001-01-09 23:42 Marc Lehmann
2001-01-10 0:43 ` [reiserfs-list] " John Morrison
` (4 more replies)
0 siblings, 5 replies; 7+ messages in thread
From: Marc Lehmann @ 2001-01-09 23:42 UTC (permalink / raw)
To: BUGTRAQ, linux-kernel, reiserfs-list
We are still investigating, but there seems to be a major security problem
in at least some versions of reiserfs. Since reiserfs is shipped with
newer versions of SuSE Linux and the problem is too easy to reproduce and
VERY dangerous I think alerting people to this problem is in order.
We have tested and verified this problem on a number of different systems
and kernels 2.2.17/2.2.8 with reiserfs-3.5.28 and probably other versions.
Basically, you do:
mkdir "$(perl -e 'print "x" x 768')"
I.e. create a very long directory. The name doesn't seem to be of
relevance (we found this out by doing mkdir "$(cat /etc/hosts)" for other
tests). This works. The next ls (or echo *) command will segfault and the
kernel oopses. all following accesses to the volume in question will oops
and hang the process, even afetr a reboot.
reiserfsck (the filesystem check program) does _NOT_ detect or solve this
problem:
Replaying journal..ok
Checking S+tree..ok
Comparing bitmaps..ok
But fortunately, rmdir <filename> works and seems to leave the filesystem
undamaged.
Since a kernel oops results (see below), this indicates a buffer overrun
(the kernel jumps to address 78787878, which is "xxxx") inside the kernel,
which is of course very nasty (think ftp-upload!) and certainly gives you
root access from anywhere, even from inside a chrooted environment. We
didn't pursue this further.
The best workaround at this time seems to be to uninstall reiserfs
completely or not allow any user access (even indirect) to these volumes.
While this individual bug might be easy to fix, we believe that other,
similar bugs should be easy to find so reiserfs should not be trusted (it
shouldn't be trusted to full user access for other reasons anyway, but it
is still widely used).
Unable to handle kernel paging request at virtual address 78787878
current->tss.cr3 = 0d074000, %cr3 = 0d074000
*pde = 00000000
Oops: 0002
CPU: 0
EIP: 0010:[<c013f875>]
EFLAGS: 00010282
eax: 00000000 ebx: bfffe78c ecx: 00000000 edx: bfffe78c
esi: ccbddd62 edi: 78787878 ebp: 00000300 esp: ccbddd3c
ds: 0018 es: 0018 ss: 0018
Process bash (pid: 292, process nr: 54, stackpage=ccbdd000)
Stack: c013f66a ccbddf6c cd100000 ccbddd62 0000030c c0136d49 00000700 00002013
00001000 7878030c 78787878 78787878 78787878 78787878 78787878 78787878
78787878 78787878 78787878 78787878 78787878 78787878 78787878 78787878
Call Trace: [<c013f66a>] [<c0136d49>]
Code: 89 1f 8b 44 24 18 29 47 08 31 c0 5b 5e 5f 5d 81 c4 2c 01 00
--
-----==- |
----==-- _ |
---==---(_)__ __ ____ __ Marc Lehmann +--
--==---/ / _ \/ // /\ \/ / pcg@opengroup.org |e|
-=====/_/_//_/\_,_/ /_/\_\ XX11-RIPE --+
The choice of a GNU generation |
|
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)
2001-01-09 23:42 major security bug in reiserfs (may affect SuSE Linux) Marc Lehmann
@ 2001-01-10 0:43 ` John Morrison
2001-01-10 0:51 ` Chris Mason
` (3 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: John Morrison @ 2001-01-10 0:43 UTC (permalink / raw)
To: Marc Lehmann; +Cc: BUGTRAQ, linux-kernel, reiserfs-list
I can't reproduce this.
[root@vaio /root]# mkdir "$(perl -e 'print "x" x 768')"
[root@vaio /root]# ls
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxx
[root@vaio /root]#
John
> We are still investigating, but there seems to be a major security problem
> in at least some versions of reiserfs. Since reiserfs is shipped with
> newer versions of SuSE Linux and the problem is too easy to reproduce and
> VERY dangerous I think alerting people to this problem is in order.
>
> We have tested and verified this problem on a number of different systems
> and kernels 2.2.17/2.2.8 with reiserfs-3.5.28 and probably other versions.
>
> Basically, you do:
>
> mkdir "$(perl -e 'print "x" x 768')"
>
> I.e. create a very long directory. The name doesn't seem to be of
> relevance (we found this out by doing mkdir "$(cat /etc/hosts)" for other
> tests). This works. The next ls (or echo *) command will segfault and the
> kernel oopses. all following accesses to the volume in question will oops
> and hang the process, even afetr a reboot.
>
> reiserfsck (the filesystem check program) does _NOT_ detect or solve this
> problem:
>
> Replaying journal..ok
> Checking S+tree..ok
> Comparing bitmaps..ok
>
> But fortunately, rmdir <filename> works and seems to leave the filesystem
> undamaged.
>
> Since a kernel oops results (see below), this indicates a buffer overrun
> (the kernel jumps to address 78787878, which is "xxxx") inside the kernel,
> which is of course very nasty (think ftp-upload!) and certainly gives you
> root access from anywhere, even from inside a chrooted environment. We
> didn't pursue this further.
>
> The best workaround at this time seems to be to uninstall reiserfs
> completely or not allow any user access (even indirect) to these volumes.
> While this individual bug might be easy to fix, we believe that other,
> similar bugs should be easy to find so reiserfs should not be trusted (it
> shouldn't be trusted to full user access for other reasons anyway, but it
> is still widely used).
>
> Unable to handle kernel paging request at virtual address 78787878
> current->tss.cr3 = 0d074000, %cr3 = 0d074000
> *pde = 00000000
> Oops: 0002
> CPU: 0
> EIP: 0010:[<c013f875>]
> EFLAGS: 00010282
> eax: 00000000 ebx: bfffe78c ecx: 00000000 edx: bfffe78c
> esi: ccbddd62 edi: 78787878 ebp: 00000300 esp: ccbddd3c
> ds: 0018 es: 0018 ss: 0018
> Process bash (pid: 292, process nr: 54, stackpage=ccbdd000)
> Stack: c013f66a ccbddf6c cd100000 ccbddd62 0000030c c0136d49 00000700 00002013
> 00001000 7878030c 78787878 78787878 78787878 78787878 78787878 78787878
> 78787878 78787878 78787878 78787878 78787878 78787878 78787878 78787878
> Call Trace: [<c013f66a>] [<c0136d49>]
> Code: 89 1f 8b 44 24 18 29 47 08 31 c0 5b 5e 5f 5d 81 c4 2c 01 00
>
>
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)
2001-01-09 23:42 major security bug in reiserfs (may affect SuSE Linux) Marc Lehmann
2001-01-10 0:43 ` [reiserfs-list] " John Morrison
@ 2001-01-10 0:51 ` Chris Mason
2001-01-10 0:56 ` Vladimir V. Saveliev
` (2 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Chris Mason @ 2001-01-10 0:51 UTC (permalink / raw)
To: Marc Lehmann, BUGTRAQ, linux-kernel, reiserfs-list
On Wednesday, January 10, 2001 12:42:01 AM +0100 Marc Lehmann
<pcg@goof.com> wrote:
> We are still investigating, but there seems to be a major security problem
> in at least some versions of reiserfs. Since reiserfs is shipped with
> newer versions of SuSE Linux and the problem is too easy to reproduce and
> VERY dangerous I think alerting people to this problem is in order.
>
Sorry, a quick attempt at reproducing on 2.2.17 and 2.2.19 kernels did not
cause an oops. Could you please send me a decoded version of the oops to
help track things down?
thanks,
Chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)
2001-01-09 23:42 major security bug in reiserfs (may affect SuSE Linux) Marc Lehmann
2001-01-10 0:43 ` [reiserfs-list] " John Morrison
2001-01-10 0:51 ` Chris Mason
@ 2001-01-10 0:56 ` Vladimir V. Saveliev
2001-01-10 13:08 ` Gnea
2001-01-10 6:02 ` [BUGTRAQ] " John H. Robinson, IV
2001-01-10 11:03 ` [reiserfs-list] " Dirk Mueller
4 siblings, 1 reply; 7+ messages in thread
From: Vladimir V. Saveliev @ 2001-01-10 0:56 UTC (permalink / raw)
To: Marc Lehmann; +Cc: BUGTRAQ, linux-kernel, reiserfs-list
Hi
Marc Lehmann wrote:
> We are still investigating, but there seems to be a major security problem
> in at least some versions of reiserfs. Since reiserfs is shipped with
> newer versions of SuSE Linux and the problem is too easy to reproduce and
> VERY dangerous I think alerting people to this problem is in order.
>
> We have tested and verified this problem on a number of different systems
> and kernels 2.2.17/2.2.8 with reiserfs-3.5.28 and probably other versions.
>
> Basically, you do:
>
> mkdir "$(perl -e 'print "x" x 768')"
>
> I.e. create a very long directory. The name doesn't seem to be of
> relevance (we found this out by doing mkdir "$(cat /etc/hosts)" for other
> tests). This works. The next ls (or echo *) command will segfault and the
> kernel oopses. all following accesses to the volume in question will oops
> and hang the process, even afetr a reboot.
>
Hmm,
mkdir "$(perl -e 'print "x" x 768')"
ls
echo *
works here as it should. (2.2.18 and reiserfs-3.5.29)
Did I miss something?
Thanks,
vs
>
> reiserfsck (the filesystem check program) does _NOT_ detect or solve this
> problem:
>
> Replaying journal..ok
> Checking S+tree..ok
> Comparing bitmaps..ok
>
> But fortunately, rmdir <filename> works and seems to leave the filesystem
> undamaged.
>
> Since a kernel oops results (see below), this indicates a buffer overrun
> (the kernel jumps to address 78787878, which is "xxxx") inside the kernel,
> which is of course very nasty (think ftp-upload!) and certainly gives you
> root access from anywhere, even from inside a chrooted environment. We
> didn't pursue this further.
>
> The best workaround at this time seems to be to uninstall reiserfs
> completely or not allow any user access (even indirect) to these volumes.
> While this individual bug might be easy to fix, we believe that other,
> similar bugs should be easy to find so reiserfs should not be trusted (it
> shouldn't be trusted to full user access for other reasons anyway, but it
> is still widely used).
>
> Unable to handle kernel paging request at virtual address 78787878
> current->tss.cr3 = 0d074000, %cr3 = 0d074000
> *pde = 00000000
> Oops: 0002
> CPU: 0
> EIP: 0010:[<c013f875>]
> EFLAGS: 00010282
> eax: 00000000 ebx: bfffe78c ecx: 00000000 edx: bfffe78c
> esi: ccbddd62 edi: 78787878 ebp: 00000300 esp: ccbddd3c
> ds: 0018 es: 0018 ss: 0018
> Process bash (pid: 292, process nr: 54, stackpage=ccbdd000)
> Stack: c013f66a ccbddf6c cd100000 ccbddd62 0000030c c0136d49 00000700 00002013
> 00001000 7878030c 78787878 78787878 78787878 78787878 78787878 78787878
> 78787878 78787878 78787878 78787878 78787878 78787878 78787878 78787878
> Call Trace: [<c013f66a>] [<c0136d49>]
> Code: 89 1f 8b 44 24 18 29 47 08 31 c0 5b 5e 5f 5d 81 c4 2c 01 00
>
> --
> -----==- |
> ----==-- _ |
> ---==---(_)__ __ ____ __ Marc Lehmann +--
> --==---/ / _ \/ // /\ \/ / pcg@opengroup.org |e|
> -=====/_/_//_/\_,_/ /_/\_\ XX11-RIPE --+
> The choice of a GNU generation |
> |
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [BUGTRAQ] major security bug in reiserfs (may affect SuSE Linux)
2001-01-09 23:42 major security bug in reiserfs (may affect SuSE Linux) Marc Lehmann
` (2 preceding siblings ...)
2001-01-10 0:56 ` Vladimir V. Saveliev
@ 2001-01-10 6:02 ` John H. Robinson, IV
2001-01-10 11:03 ` [reiserfs-list] " Dirk Mueller
4 siblings, 0 replies; 7+ messages in thread
From: John H. Robinson, IV @ 2001-01-10 6:02 UTC (permalink / raw)
To: BUGTRAQ; +Cc: linux-kernel, reiserfs-list
On Wed, Jan 10, 2001 at 12:42:01AM +0100, Marc Lehmann wrote:
>
> Basically, you do:
>
> mkdir "$(perl -e 'print "x" x 768')"
[jaqque@osiris:/tmp/chk]% uname -a
Linux osiris 2.2.18 [classified] Sat Jan 6 11:19:04 PST 2001 i586 unknown
[jaqque@osiris:/tmp/chk]% mkdir "$(perl -e 'print "x" x 768')"
[jaqque@osiris:/tmp/chk]% ls -la
total 2
drwxrwxr-x 3 jaqque jaqque 819 Jan 9 21:55 .
drwxrwxrwt 10 root root 371 Jan 9 21:54 ..
drwxrwxr-x 2 jaqque jaqque 35 Jan 9 21:55 x...
[jaqque@osiris:/tmp/chk]% rm -rf x*
[jaqque@osiris:/tmp/chk]% mkdir "$(perl -e 'print "x" x 4033')"
mkdir: cannot create directory `x....x': File name too long
[jaqque@osiris:/tmp/chk]% mkdir "$(perl -e 'print "x" x 4032')"
[jaqque@osiris:/tmp/chk]% rm -rf x*
[jaqque@osiris:/tmp/chk]% mkdir "$(perl -e 'print "x" x 4032')"
mkdir: cannot create directory `x....x': File exists
zsh: exit 255 mkdir "$(perl -e 'print "x" x 4032')"
[jaqque@osiris:/tmp/chk]% ls -la
total 4
drwxrwxr-x 3 jaqque jaqque 4083 Jan 9 21:56 .
drwxrwxrwt 10 root root 371 Jan 9 21:54 ..
[jaqque@osiris:/tmp/chk]%
no oops, but a directory that cannot be removed.
-john
linux kernel 2.2.18 with reiserfs-3.5.29 patch
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)
2001-01-09 23:42 major security bug in reiserfs (may affect SuSE Linux) Marc Lehmann
` (3 preceding siblings ...)
2001-01-10 6:02 ` [BUGTRAQ] " John H. Robinson, IV
@ 2001-01-10 11:03 ` Dirk Mueller
4 siblings, 0 replies; 7+ messages in thread
From: Dirk Mueller @ 2001-01-10 11:03 UTC (permalink / raw)
To: BUGTRAQ, linux-kernel, reiserfs-list
> The best workaround at this time seems to be to uninstall reiserfs
> completely or not allow any user access (even indirect) to these volumes.
> While this individual bug might be easy to fix, we believe that other,
> similar bugs should be easy to find so reiserfs should not be trusted (it
> shouldn't be trusted to full user access for other reasons anyway, but it
> is still widely used).
Can you please calm down ? Just because you maybe found ONE bug you cannot
say that there are more issues except this one without even knowing them!
If it helps, I'm using 2.2.18+reiserfs-3.5.29+ide-dma patch and I cannot
reproduce ANYTHING said in the referred message. It works perfectly fine.
I was using gcc 2.95.2 to compile the kernel.
Dirk
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)
2001-01-10 0:56 ` Vladimir V. Saveliev
@ 2001-01-10 13:08 ` Gnea
0 siblings, 0 replies; 7+ messages in thread
From: Gnea @ 2001-01-10 13:08 UTC (permalink / raw)
To: linux-kernel
On Wed, Jan 10, 2001 at 03:56:32AM +0300, Vladimir V. Saveliev wrote:
> Hi
>
> Marc Lehmann wrote:
>
> > We are still investigating, but there seems to be a major security problem
>
> Hmm,
> mkdir "$(perl -e 'print "x" x 768')"
> ls
> echo *
>
> works here as it should. (2.2.18 and reiserfs-3.5.29)
cat /proc/version
Linux version 2.4.0-test11 (root@celery) (gcc version 2.95.2 20000220
(Debian GNU/Linux)) #1 SMP Fri Dec 15 01:45:43 EST 2000
snipping from dmesg:
reiserfs: checking transaction log (device 21:08) ...
Using tea hash to sort names
ReiserFS version 3.6.22
while mkdir "$(perl -e 'print "x" x 768')" works just fine, doing a
mkdir "$(perl -e 'print "x" x 4000')" will create the dir, but will NOT
segfault any program, NOR cause a kernel oops.. howeever, it will NOT
show up with ls. rm -rf "$(perl -e 'print "x" x 4000')" _will_ work...
i have yet to experience any crashes, segfaults or oopses since.
--
.oO Gnea [gnea at rochester dot rr dot com] Oo.
.oO url: http://garson.org/~gnea Oo.
"You can tune a filesystem, but you can't tuna fish." -unknown
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2001-01-10 13:12 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2001-01-09 23:42 major security bug in reiserfs (may affect SuSE Linux) Marc Lehmann
2001-01-10 0:43 ` [reiserfs-list] " John Morrison
2001-01-10 0:51 ` Chris Mason
2001-01-10 0:56 ` Vladimir V. Saveliev
2001-01-10 13:08 ` Gnea
2001-01-10 6:02 ` [BUGTRAQ] " John H. Robinson, IV
2001-01-10 11:03 ` [reiserfs-list] " Dirk Mueller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox