r2849 - trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches
Simon Horman
horms@costa.debian.org
Tue, 29 Mar 2005 08:35:22 +0000
Author: horms
Date: 2005-03-29 08:35:22 +0000 (Tue, 29 Mar 2005)
New Revision: 2849
Added:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/156_fs-ext2-info-leak.diff
Log:
[Security] Fix information leak in ext2 which leads to
a local information leak. See CAN-2005-0400
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/156_fs-ext2-info-leak.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/156_fs-ext2-info-leak.diff 2005-03-29 08:34:57 UTC (rev 2848)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/156_fs-ext2-info-leak.diff 2005-03-29 08:35:22 UTC (rev 2849)
@@ -0,0 +1,64 @@
+# origin: mlafon (BitKeeper)
+# cset: 1.1481 (2.4) key=424473284plfEOB185qmyHPQyNPq4Q
+# URL: http://linux.bkbits.net:8080/linux-2.4/cset@424473284plfEOB185qmyHPQyNPq4Q
+# inclusion: upstream
+# descrition: [PATCH] CAN-2005-0400: ext2 mkdir() directory entry random kernel memory leak
+# revision date: Tue, 29 Mar 2005 17:32:34 +0900
+#
+# S rset: ChangeSet|1.1480..1.1481
+# I rset: fs/ext2/dir.c|1.7..1.8
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/03/25 17:23:04-03:00 mlafon@arkoon.net
+# [PATCH] CAN-2005-0400: ext2 mkdir() directory entry random kernel memory leak
+#
+# I think I have discovered a potential security problem in ext2: when a
+# new directory is created, the ext2 block written to disk is not
+# initialized.
+#
+# An information leak can then be found after the two directory entries ('.'
+# and
+# '..') or in the name buffer of each entry (struct ext2_dir_entry_2).
+#
+# The following script can easily show the problem on Linux 2.4 and 2.6:
+#
+# #!/bin/sh
+# FILE=foo
+# dd if=/dev/zero of=$FILE bs=1k count=8192
+# mke2fs -F -b 1024 -m0 $FILE
+# mount -o loop $FILE mnt
+# for D in `seq 500` ; do mkdir mnt/$D ; done
+# umount mnt
+#
+# Using 'strings foo' will reveal the information leak in the file.
+#
+# fs/ext2/dir.c
+# 2005/03/25 17:21:45-03:00 mlafon@arkoon.net +2 -1
+# CAN-2005-0400: ext2 mkdir() directory entry random kernel memory leak
+#
+#
+===== fs/ext2/dir.c 1.7 vs 1.8 =====
+--- 1.7/fs/ext2/dir.c 2002-11-12 12:37:34 +09:00
++++ 1.8/fs/ext2/dir.c 2005-03-26 05:21:45 +09:00
+@@ -524,7 +524,8 @@ int ext2_make_empty(struct inode *inode,
+ goto fail;
+
+ base = page_address(page);
+-
++
++ memset(base, 0, chunk_size);
+ de = (struct ext2_dir_entry_2 *) base;
+ de->name_len = 1;
+ de->rec_len = cpu_to_le16(EXT2_DIR_REC_LEN(1));