Home page logo

bugtraq logo Bugtraq mailing list archives

Re: major security bug in reiserfs (may affect SuSE Linux)
From: Andreas Ferber <af () DEVCON NET>
Date: Wed, 10 Jan 2001 18:50:33 +0100


On Wed, Jan 10, 2001 at 12:42:01AM +0100, Marc Lehmann wrote:

We have tested and verified this problem on a number of different systems
and kernels 2.2.17/2.2.8 with reiserfs-3.5.28 and probably other versions.

Basically, you do:

mkdir "$(perl -e 'print "x" x 768')"

I.e. create a very long directory. The name doesn't seem to be of
relevance (we found this out by doing mkdir "$(cat /etc/hosts)" for other
tests). This works.  The next ls (or echo *) command will segfault and the
kernel oopses. all following accesses to the volume in question will oops
and hang the process, even afetr a reboot.

Could not reproduce it on Linux 2.4.0 with ReiserFS 3.6.24.

But I found some other strange things (everything tested on the
abovementioned versions):

If you start increasing the directory name length, everything works
fine up to 3377 characters, as is with a length greater than 4032
(mkdir says "File name to long" then).

But if you choose a length between (including) 3378 and 4032, weird
things happen: "ls" and "echo *" no longer show the directory (the
directory is certainly there as you can "cd" into it and "pwd"
correctly shows it) If the length is smaller than 3922, you can still
show the directory with "find -maxdepth 1" (longer names even
disappear from find).

Also sometimes other entries in the directory you were creating the
overlong name in start disappearing from ls. The only system I could
find till now is for filename length <3922 that all files showing up
in the find output after the long name are not shown by ls (the
position changes if you change the name length, but for one particular
length it is constant if you remove and recreate the directory several

You can tell if a directory with an overlong name exists by looking at
the size or the reference count of the parent directory:

(630) root () kallisto: /var/spool # mkdir "$(perl -e 'print "x" x 4032')"
(631) root () kallisto: /var/spool # ls -ld .
drwxr-xr-x   17 root     root         4381 Jan 10 17:58 .
(632) root () kallisto: /var/spool # rmdir "$(perl -e 'print "x" x 4032')"
(633) root () kallisto: /var/spool # ls -ld .
drwxr-xr-x   16 root     root          333 Jan 10 18:00 .

Looks like a nearly perfect place for hiding rootkits or similar
things if you manage to create a directory in manner that no other
files or directories disappear :-/

Just to make it clear, while doing all this, *no* kernel oops and no
segfaults happened, so it doesn't seem to overwrite stack or similar
bad things.

The software versions used in the tests are:

(638) root () kallisto: /var/spool # /lib/libc-2.1.3.so -V
GNU C Library stable release version 2.1.3, by Roland McGrath et al.
Copyright (C) 1992, 93, 94, 95, 96, 97, 98, 99 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Compiled by GNU CC version 2.95.2 20000220 (Debian GNU/Linux).
Compiled on a Linux 2.2.15 system on 2000-09-01.
Available extensions:
        GNU libio by Per Bothner
        crypt add-on version 2.1 by Michael Glad and others
        linuxthreads-0.8 by Xavier Leroy
        NIS(YP)/NIS+ NSS modules 0.19 by Thorsten Kukuk
        NSS V1 modules 2.0.2
        libthread_db work sponsored by Alpha Processor Inc
Report bugs using the `glibcbug' script to <bugs () gnu org>.
(639) root () kallisto: /var/spool # find --version
GNU find version 4.1
(640) root () kallisto: /var/spool # ls --version
ls (GNU fileutils) 4.0l
Written by Richard Stallman and David MacKenzie.

Copyright (C) 1999 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
(641) root () kallisto: /var/spool # bash --version
GNU bash, version 2.03.0(1)-release (i386-pc-linux-gnu)
Copyright 1998 Free Software Foundation, Inc.

       Andreas Ferber - dev/consulting GmbH - Bielefeld, FRG
      +49 521 1365800 - af () devconsult de - www.devconsult.de

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]