oss-sec mailing list archives
Small exposure in ocfs2 fast symlinks.
From: Joel Becker <Joel.Becker () oracle com>
Date: Wed, 29 Sep 2010 19:04:07 -0700
Hey Everyone, We just discovered that ocfs2 could walk off the end of fast symlinks -- that is, symlinks that are stored directly in the inode block. ocfs2 terminates these with NUL characters, but a disk corruption or an attacker with direct access to the ocfs2 disk could overwrite the NUL. Following the symlink via the filesystem would walk off the end of the in-memory block buffer. We're not sure how exploitable this is, but I figured I'd provide a heads-up. The fix is in ocfs2's git tree and will be sent upstream tonight. Erratas with the fix are being built. If someone thinks we should have a CVE, please provide me with the number. Otherwise, just FYI. Joel -- Life's Little Instruction Book #267 "Lie on your back and look at the stars." Joel Becker Consulting Software Developer Oracle E-mail: joel.becker () oracle com Phone: (650) 506-8127
Current thread:
- Small exposure in ocfs2 fast symlinks. Joel Becker (Sep 29)
- Re: Small exposure in ocfs2 fast symlinks. Greg KH (Sep 29)
- Re: Small exposure in ocfs2 fast symlinks. Joel Becker (Sep 30)
- Re: Small exposure in ocfs2 fast symlinks. Greg KH (Sep 29)