Bugtraq mailing list archives
Re: Linux inode.i_count overflow
From: shipley () DIS ORG (Pete)
Date: Wed, 14 Jan 1998 13:02:58 -0800
http://www.ms.mff.cuni.cz/~jkot2155/linuxbug.html While I was working on my master thesis (Emulation of [1]Classic Operating Systems in [2]Distributed Environment), I found following two nasty things in Linux sources: i_count Overflow Security Hole Member i_count in struct inode contains the usage count. It is of type unsigned short, which is only 16-bit long on i386. Unfortunately, it is not enough. You can make it overflow by mapping one file many times:
BSD 2.9 (maybe 4.1) had this problem also, in that case the link count
was stored in a u_char, I think. (you needed to fork something line 23
processes or something to do it since the per process file descriptor
table size was significantly smaller then the file's link counter).
It was possible to hack root by opening a file in the / (root)
filesystem till the that files link count was 0 (and thus it was
added to the freelist). Next you would change your password or
finger/gecos info a few times till "your" inode was reallocated
and used for the password file thus leaving you a open file descriptor
to the password file.
Since I do not run Linux I can not test to see if you can do this under Linux
I have some *old* exploit code for this at home on a disconnected
system but since I am on the road I can get to it. I try to remember to
send it to rootshell.com when I get home.
-Pete
Current thread:
- Linux inode.i_count overflow Aleph One (Jan 14)
- Re: Linux inode.i_count overflow Alan Cox (Jan 14)
- Re: Linux inode.i_count overflow David LeBlanc (Jan 14)
- Re: Linux inode.i_count overflow Pete (Jan 14)
- Re: Linux inode.i_count overflow Casper Dik (Jan 14)
- Re: Linux inode.i_count overflow Alan Cox (Jan 14)