[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Small exposure in ocfs2 fast symlinks.
From:       Joel Becker <Joel.Becker () oracle ! com>
Date:       2010-09-30 5:49:50
Message-ID: 20100930054949.GA9118 () mail ! oracle ! com
[Download RAW message or body]

On Wed, Sep 29, 2010 at 08:30:09PM -0700, Greg KH wrote:
> On Wed, Sep 29, 2010 at 07:04:07PM -0700, Joel Becker wrote:
> > Hey Everyone,
> > 	We just discovered that ocfs2 could walk off the end of fast
> > symlinks -- that is, symlinks that are stored directly in the inode
> > block.  ocfs2 terminates these with NUL characters, but a disk
> > corruption or an attacker with direct access to the ocfs2 disk could
> > overwrite the NUL.  Following the symlink via the filesystem would walk
> > off the end of the in-memory block buffer.  We're not sure how
> > exploitable this is, but I figured I'd provide a heads-up.  The fix is
> > in ocfs2's git tree and will be sent upstream tonight.  Erratas with the
> > fix are being built.
> 
> Care to send the git commit id to the stable@kernel.org tree when it
> hits Linus's tree so it gets backported there?

	I Cc'd stable@kernel.org in the commit, don't worry ;-)

Joel

-- 

Life's Little Instruction Book #267

	"Lie on your back and look at the stars."

Joel Becker
Consulting Software Developer
Oracle
E-mail: joel.becker@oracle.com
Phone: (650) 506-8127
[prev in list] [next in list] [prev in thread] [next in thread]