* Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)
2001-01-09 23:42 major security bug in reiserfs (may affect SuSE Linux) Marc Lehmann
@ 2001-01-10 0:43 ` John Morrison
2001-01-10 0:51 ` Chris Mason
` (3 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: John Morrison @ 2001-01-10 0:43 UTC (permalink / raw)
To: Marc Lehmann; +Cc: BUGTRAQ, linux-kernel, reiserfs-list
I can't reproduce this.
[root@vaio /root]# mkdir "$(perl -e 'print "x" x 768')"
[root@vaio /root]# ls
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxx
[root@vaio /root]#
John
> We are still investigating, but there seems to be a major security problem
> in at least some versions of reiserfs. Since reiserfs is shipped with
> newer versions of SuSE Linux and the problem is too easy to reproduce and
> VERY dangerous I think alerting people to this problem is in order.
>
> We have tested and verified this problem on a number of different systems
> and kernels 2.2.17/2.2.8 with reiserfs-3.5.28 and probably other versions.
>
> Basically, you do:
>
> mkdir "$(perl -e 'print "x" x 768')"
>
> I.e. create a very long directory. The name doesn't seem to be of
> relevance (we found this out by doing mkdir "$(cat /etc/hosts)" for other
> tests). This works. The next ls (or echo *) command will segfault and the
> kernel oopses. all following accesses to the volume in question will oops
> and hang the process, even afetr a reboot.
>
> reiserfsck (the filesystem check program) does _NOT_ detect or solve this
> problem:
>
> Replaying journal..ok
> Checking S+tree..ok
> Comparing bitmaps..ok
>
> But fortunately, rmdir <filename> works and seems to leave the filesystem
> undamaged.
>
> Since a kernel oops results (see below), this indicates a buffer overrun
> (the kernel jumps to address 78787878, which is "xxxx") inside the kernel,
> which is of course very nasty (think ftp-upload!) and certainly gives you
> root access from anywhere, even from inside a chrooted environment. We
> didn't pursue this further.
>
> The best workaround at this time seems to be to uninstall reiserfs
> completely or not allow any user access (even indirect) to these volumes.
> While this individual bug might be easy to fix, we believe that other,
> similar bugs should be easy to find so reiserfs should not be trusted (it
> shouldn't be trusted to full user access for other reasons anyway, but it
> is still widely used).
>
> Unable to handle kernel paging request at virtual address 78787878
> current->tss.cr3 = 0d074000, %cr3 = 0d074000
> *pde = 00000000
> Oops: 0002
> CPU: 0
> EIP: 0010:[<c013f875>]
> EFLAGS: 00010282
> eax: 00000000 ebx: bfffe78c ecx: 00000000 edx: bfffe78c
> esi: ccbddd62 edi: 78787878 ebp: 00000300 esp: ccbddd3c
> ds: 0018 es: 0018 ss: 0018
> Process bash (pid: 292, process nr: 54, stackpage=ccbdd000)
> Stack: c013f66a ccbddf6c cd100000 ccbddd62 0000030c c0136d49 00000700 00002013
> 00001000 7878030c 78787878 78787878 78787878 78787878 78787878 78787878
> 78787878 78787878 78787878 78787878 78787878 78787878 78787878 78787878
> Call Trace: [<c013f66a>] [<c0136d49>]
> Code: 89 1f 8b 44 24 18 29 47 08 31 c0 5b 5e 5f 5d 81 c4 2c 01 00
>
>
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)
2001-01-09 23:42 major security bug in reiserfs (may affect SuSE Linux) Marc Lehmann
2001-01-10 0:43 ` [reiserfs-list] " John Morrison
@ 2001-01-10 0:51 ` Chris Mason
2001-01-10 0:56 ` Vladimir V. Saveliev
` (2 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Chris Mason @ 2001-01-10 0:51 UTC (permalink / raw)
To: Marc Lehmann, BUGTRAQ, linux-kernel, reiserfs-list
On Wednesday, January 10, 2001 12:42:01 AM +0100 Marc Lehmann
<pcg@goof.com> wrote:
> We are still investigating, but there seems to be a major security problem
> in at least some versions of reiserfs. Since reiserfs is shipped with
> newer versions of SuSE Linux and the problem is too easy to reproduce and
> VERY dangerous I think alerting people to this problem is in order.
>
Sorry, a quick attempt at reproducing on 2.2.17 and 2.2.19 kernels did not
cause an oops. Could you please send me a decoded version of the oops to
help track things down?
thanks,
Chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)
2001-01-09 23:42 major security bug in reiserfs (may affect SuSE Linux) Marc Lehmann
2001-01-10 0:43 ` [reiserfs-list] " John Morrison
2001-01-10 0:51 ` Chris Mason
@ 2001-01-10 0:56 ` Vladimir V. Saveliev
2001-01-10 13:08 ` Gnea
2001-01-10 6:02 ` [BUGTRAQ] " John H. Robinson, IV
2001-01-10 11:03 ` [reiserfs-list] " Dirk Mueller
4 siblings, 1 reply; 7+ messages in thread
From: Vladimir V. Saveliev @ 2001-01-10 0:56 UTC (permalink / raw)
To: Marc Lehmann; +Cc: BUGTRAQ, linux-kernel, reiserfs-list
Hi
Marc Lehmann wrote:
> We are still investigating, but there seems to be a major security problem
> in at least some versions of reiserfs. Since reiserfs is shipped with
> newer versions of SuSE Linux and the problem is too easy to reproduce and
> VERY dangerous I think alerting people to this problem is in order.
>
> We have tested and verified this problem on a number of different systems
> and kernels 2.2.17/2.2.8 with reiserfs-3.5.28 and probably other versions.
>
> Basically, you do:
>
> mkdir "$(perl -e 'print "x" x 768')"
>
> I.e. create a very long directory. The name doesn't seem to be of
> relevance (we found this out by doing mkdir "$(cat /etc/hosts)" for other
> tests). This works. The next ls (or echo *) command will segfault and the
> kernel oopses. all following accesses to the volume in question will oops
> and hang the process, even afetr a reboot.
>
Hmm,
mkdir "$(perl -e 'print "x" x 768')"
ls
echo *
works here as it should. (2.2.18 and reiserfs-3.5.29)
Did I miss something?
Thanks,
vs
>
> reiserfsck (the filesystem check program) does _NOT_ detect or solve this
> problem:
>
> Replaying journal..ok
> Checking S+tree..ok
> Comparing bitmaps..ok
>
> But fortunately, rmdir <filename> works and seems to leave the filesystem
> undamaged.
>
> Since a kernel oops results (see below), this indicates a buffer overrun
> (the kernel jumps to address 78787878, which is "xxxx") inside the kernel,
> which is of course very nasty (think ftp-upload!) and certainly gives you
> root access from anywhere, even from inside a chrooted environment. We
> didn't pursue this further.
>
> The best workaround at this time seems to be to uninstall reiserfs
> completely or not allow any user access (even indirect) to these volumes.
> While this individual bug might be easy to fix, we believe that other,
> similar bugs should be easy to find so reiserfs should not be trusted (it
> shouldn't be trusted to full user access for other reasons anyway, but it
> is still widely used).
>
> Unable to handle kernel paging request at virtual address 78787878
> current->tss.cr3 = 0d074000, %cr3 = 0d074000
> *pde = 00000000
> Oops: 0002
> CPU: 0
> EIP: 0010:[<c013f875>]
> EFLAGS: 00010282
> eax: 00000000 ebx: bfffe78c ecx: 00000000 edx: bfffe78c
> esi: ccbddd62 edi: 78787878 ebp: 00000300 esp: ccbddd3c
> ds: 0018 es: 0018 ss: 0018
> Process bash (pid: 292, process nr: 54, stackpage=ccbdd000)
> Stack: c013f66a ccbddf6c cd100000 ccbddd62 0000030c c0136d49 00000700 00002013
> 00001000 7878030c 78787878 78787878 78787878 78787878 78787878 78787878
> 78787878 78787878 78787878 78787878 78787878 78787878 78787878 78787878
> Call Trace: [<c013f66a>] [<c0136d49>]
> Code: 89 1f 8b 44 24 18 29 47 08 31 c0 5b 5e 5f 5d 81 c4 2c 01 00
>
> --
> -----==- |
> ----==-- _ |
> ---==---(_)__ __ ____ __ Marc Lehmann +--
> --==---/ / _ \/ // /\ \/ / pcg@opengroup.org |e|
> -=====/_/_//_/\_,_/ /_/\_\ XX11-RIPE --+
> The choice of a GNU generation |
> |
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)
2001-01-10 0:56 ` Vladimir V. Saveliev
@ 2001-01-10 13:08 ` Gnea
0 siblings, 0 replies; 7+ messages in thread
From: Gnea @ 2001-01-10 13:08 UTC (permalink / raw)
To: linux-kernel
On Wed, Jan 10, 2001 at 03:56:32AM +0300, Vladimir V. Saveliev wrote:
> Hi
>
> Marc Lehmann wrote:
>
> > We are still investigating, but there seems to be a major security problem
>
> Hmm,
> mkdir "$(perl -e 'print "x" x 768')"
> ls
> echo *
>
> works here as it should. (2.2.18 and reiserfs-3.5.29)
cat /proc/version
Linux version 2.4.0-test11 (root@celery) (gcc version 2.95.2 20000220
(Debian GNU/Linux)) #1 SMP Fri Dec 15 01:45:43 EST 2000
snipping from dmesg:
reiserfs: checking transaction log (device 21:08) ...
Using tea hash to sort names
ReiserFS version 3.6.22
while mkdir "$(perl -e 'print "x" x 768')" works just fine, doing a
mkdir "$(perl -e 'print "x" x 4000')" will create the dir, but will NOT
segfault any program, NOR cause a kernel oops.. howeever, it will NOT
show up with ls. rm -rf "$(perl -e 'print "x" x 4000')" _will_ work...
i have yet to experience any crashes, segfaults or oopses since.
--
.oO Gnea [gnea at rochester dot rr dot com] Oo.
.oO url: http://garson.org/~gnea Oo.
"You can tune a filesystem, but you can't tuna fish." -unknown
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [BUGTRAQ] major security bug in reiserfs (may affect SuSE Linux)
2001-01-09 23:42 major security bug in reiserfs (may affect SuSE Linux) Marc Lehmann
` (2 preceding siblings ...)
2001-01-10 0:56 ` Vladimir V. Saveliev
@ 2001-01-10 6:02 ` John H. Robinson, IV
2001-01-10 11:03 ` [reiserfs-list] " Dirk Mueller
4 siblings, 0 replies; 7+ messages in thread
From: John H. Robinson, IV @ 2001-01-10 6:02 UTC (permalink / raw)
To: BUGTRAQ; +Cc: linux-kernel, reiserfs-list
On Wed, Jan 10, 2001 at 12:42:01AM +0100, Marc Lehmann wrote:
>
> Basically, you do:
>
> mkdir "$(perl -e 'print "x" x 768')"
[jaqque@osiris:/tmp/chk]% uname -a
Linux osiris 2.2.18 [classified] Sat Jan 6 11:19:04 PST 2001 i586 unknown
[jaqque@osiris:/tmp/chk]% mkdir "$(perl -e 'print "x" x 768')"
[jaqque@osiris:/tmp/chk]% ls -la
total 2
drwxrwxr-x 3 jaqque jaqque 819 Jan 9 21:55 .
drwxrwxrwt 10 root root 371 Jan 9 21:54 ..
drwxrwxr-x 2 jaqque jaqque 35 Jan 9 21:55 x...
[jaqque@osiris:/tmp/chk]% rm -rf x*
[jaqque@osiris:/tmp/chk]% mkdir "$(perl -e 'print "x" x 4033')"
mkdir: cannot create directory `x....x': File name too long
[jaqque@osiris:/tmp/chk]% mkdir "$(perl -e 'print "x" x 4032')"
[jaqque@osiris:/tmp/chk]% rm -rf x*
[jaqque@osiris:/tmp/chk]% mkdir "$(perl -e 'print "x" x 4032')"
mkdir: cannot create directory `x....x': File exists
zsh: exit 255 mkdir "$(perl -e 'print "x" x 4032')"
[jaqque@osiris:/tmp/chk]% ls -la
total 4
drwxrwxr-x 3 jaqque jaqque 4083 Jan 9 21:56 .
drwxrwxrwt 10 root root 371 Jan 9 21:54 ..
[jaqque@osiris:/tmp/chk]%
no oops, but a directory that cannot be removed.
-john
linux kernel 2.2.18 with reiserfs-3.5.29 patch
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)
2001-01-09 23:42 major security bug in reiserfs (may affect SuSE Linux) Marc Lehmann
` (3 preceding siblings ...)
2001-01-10 6:02 ` [BUGTRAQ] " John H. Robinson, IV
@ 2001-01-10 11:03 ` Dirk Mueller
4 siblings, 0 replies; 7+ messages in thread
From: Dirk Mueller @ 2001-01-10 11:03 UTC (permalink / raw)
To: BUGTRAQ, linux-kernel, reiserfs-list
> The best workaround at this time seems to be to uninstall reiserfs
> completely or not allow any user access (even indirect) to these volumes.
> While this individual bug might be easy to fix, we believe that other,
> similar bugs should be easy to find so reiserfs should not be trusted (it
> shouldn't be trusted to full user access for other reasons anyway, but it
> is still widely used).
Can you please calm down ? Just because you maybe found ONE bug you cannot
say that there are more issues except this one without even knowing them!
If it helps, I'm using 2.2.18+reiserfs-3.5.29+ide-dma patch and I cannot
reproduce ANYTHING said in the referred message. It works perfectly fine.
I was using gcc 2.95.2 to compile the kernel.
Dirk
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread