r2849 - trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches

Simon Horman horms@costa.debian.org
Tue, 29 Mar 2005 08:35:22 +0000 

Author: horms
Date: 2005-03-29 08:35:22 +0000 (Tue, 29 Mar 2005)
New Revision: 2849

Added:
   trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/156_fs-ext2-info-leak.diff
Log:
[Security] Fix information leak in ext2 which leads to
a local information leak. See CAN-2005-0400

Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/156_fs-ext2-info-leak.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/156_fs-ext2-info-leak.diff	2005-03-29 08:34:57 UTC (rev 2848)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/156_fs-ext2-info-leak.diff	2005-03-29 08:35:22 UTC (rev 2849)
@@ -0,0 +1,64 @@
+# origin: mlafon (BitKeeper)
+# cset: 1.1481 (2.4) key=424473284plfEOB185qmyHPQyNPq4Q
+# URL: http://linux.bkbits.net:8080/linux-2.4/cset@424473284plfEOB185qmyHPQyNPq4Q
+# inclusion: upstream
+# descrition: [PATCH] CAN-2005-0400: ext2 mkdir() directory entry random kernel memory leak
+# revision date: Tue, 29 Mar 2005 17:32:34 +0900
+#
+# S rset: ChangeSet|1.1480..1.1481
+# I rset: fs/ext2/dir.c|1.7..1.8
+#
+# Key:
+# S: Skipped  ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated  Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted  Manually deleted by subsequent user edit
+# R: Revised  Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+#   2005/03/25 17:23:04-03:00 mlafon@arkoon.net 
+#   [PATCH] CAN-2005-0400: ext2 mkdir() directory entry random kernel memory leak
+#   
+#   I think I have discovered a potential security problem in ext2: when a
+#   new directory is created, the ext2 block written to disk is not
+#   initialized.
+#   
+#   An information leak can then be found after the two directory entries ('.'
+#   and
+#   '..') or in the name buffer of each entry (struct ext2_dir_entry_2).
+#   
+#   The following script can easily show the problem on Linux 2.4 and 2.6:
+#   
+#   #!/bin/sh
+#   FILE=foo
+#   dd if=/dev/zero of=$FILE bs=1k count=8192
+#   mke2fs -F -b 1024 -m0 $FILE
+#   mount -o loop $FILE mnt
+#   for D in `seq 500` ; do mkdir mnt/$D ; done
+#   umount mnt
+#   
+#   Using 'strings foo' will reveal the information leak in the file.
+# 
+# fs/ext2/dir.c
+#   2005/03/25 17:21:45-03:00 mlafon@arkoon.net +2 -1
+#   CAN-2005-0400: ext2 mkdir() directory entry random kernel memory leak
+# 
+#
+===== fs/ext2/dir.c 1.7 vs 1.8 =====
+--- 1.7/fs/ext2/dir.c	2002-11-12 12:37:34 +09:00
++++ 1.8/fs/ext2/dir.c	2005-03-26 05:21:45 +09:00
+@@ -524,7 +524,8 @@ int ext2_make_empty(struct inode *inode,
+ 		goto fail;
+ 
+ 	base = page_address(page);
+-
++	
++	memset(base, 0, chunk_size); 
+ 	de = (struct ext2_dir_entry_2 *) base;
+ 	de->name_len = 1;
+ 	de->rec_len = cpu_to_le16(EXT2_DIR_REC_LEN(1));