Re: Small exposure in ocfs2 fast symlinks.

[Joel Becker <Joel.Becker () oracle com>]

On Wed, Sep 29, 2010 at 08:30:09PM -0700, Greg KH wrote:
> On Wed, Sep 29, 2010 at 07:04:07PM -0700, Joel Becker wrote:
> > Hey Everyone,
> >     We just discovered that ocfs2 could walk off the end of fast
> > symlinks -- that is, symlinks that are stored directly in the inode
> > block.  ocfs2 terminates these with NUL characters, but a disk
> > corruption or an attacker with direct access to the ocfs2 disk could
> > overwrite the NUL.  Following the symlink via the filesystem would walk
> > off the end of the in-memory block buffer.  We're not sure how
> > exploitable this is, but I figured I'd provide a heads-up.  The fix is
> > in ocfs2's git tree and will be sent upstream tonight.  Erratas with the
> > fix are being built.
>
> Care to send the git commit id to the stable () kernel org tree when it
> hits Linus's tree so it gets backported there?

        I Cc'd stable () kernel org in the commit, don't worry ;-)

Joel

-- 

Life's Little Instruction Book #267

        "Lie on your back and look at the stars."

Joel Becker
Consulting Software Developer
Oracle
E-mail: joel.becker () oracle com
Phone: (650) 506-8127