This looks like a rather urgent and dangerous bug. Please disable RieserFS on machines exposed to the net -----------Forwarded Message---------------- Return-Path: <[EMAIL PROTECTED]> Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68]) by ns2.worldgatein.com (8.9.3/8.9.3) with ESMTP id IAA05047 for <[EMAIL PROTECTED]>; Wed, 10 Jan 2001 08:20:32 +0530 Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68]) by lists.securityfocus.com (Postfix) with ESMTP id B0EF224CC25; Tue, 9 Jan 2001 17:56:30 -0800 (PST) Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM (LISTSERV-TCP/IP release 1.8d) with spool id 22338382 for [EMAIL PROTECTED]; Tue, 9 Jan 2001 17:55:41 -0800 Approved-By: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by lists.securityfocus.com (Postfix) with SMTP id 24B9924D081 for <[EMAIL PROTECTED]>; Tue, 9 Jan 2001 15:39:49 -0800 (PST) Received: (qmail 21864 invoked by alias); 9 Jan 2001 23:39:52 -0000 Delivered-To: [EMAIL PROTECTED] Received: (qmail 21841 invoked from network); 9 Jan 2001 23:39:51 -0000 Received: from islay.mach.uni-karlsruhe.de (HELO mailout.plan9.de) (129.13.162.92) by mail.securityfocus.com with SMTP; 9 Jan 2001 23:39:51 -0000 Received: from cerebro ([10.0.0.1] helo=mail.plan9.de ident=schmorp) by mailout.plan9.de with esmtp (Exim 3.20 #1) id 14G8P6-0004dq-00; Wed, 10 Jan 2001 00:42:12 +0100 Received: from root by mail.plan9.de with local (Exim 3.20 #1) id 14G8Ov-000079-00; Wed, 10 Jan 2001 00:42:01 +0100 Mail-Followup-To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Operating-System: Linux version 2.2.18 (root@cerebro) (gcc version pgcc-2.95.2.1 20001224 (release)) X-Copyright: copyright 2000 Marc Alexander Lehmann - all rights reserved Message-ID: <[EMAIL PROTECTED]> Date: Wed, 10 Jan 2001 00:42:01 +0100 Reply-To: Marc Lehmann <[EMAIL PROTECTED]> Sender: Bugtraq List <[EMAIL PROTECTED]> From: Marc Lehmann <[EMAIL PROTECTED]> Subject: major security bug in reiserfs (may affect SuSE Linux) X-To: [EMAIL PROTECTED], [EMAIL PROTECTED] To: [EMAIL PROTECTED] Status: R X-Status: N We are still investigating, but there seems to be a major security problem in at least some versions of reiserfs. Since reiserfs is shipped with newer versions of SuSE Linux and the problem is too easy to reproduce and VERY dangerous I think alerting people to this problem is in order. We have tested and verified this problem on a number of different systems and kernels 2.2.17/2.2.8 with reiserfs-3.5.28 and probably other versions. Basically, you do: mkdir "$(perl -e 'print "x" x 768')" I.e. create a very long directory. The name doesn't seem to be of relevance (we found this out by doing mkdir "$(cat /etc/hosts)" for other tests). This works. The next ls (or echo *) command will segfault and the kernel oopses. all following accesses to the volume in question will oops and hang the process, even afetr a reboot. reiserfsck (the filesystem check program) does _NOT_ detect or solve this problem: Replaying journal..ok Checking S+tree..ok Comparing bitmaps..ok But fortunately, rmdir <filename> works and seems to leave the filesystem undamaged. Since a kernel oops results (see below), this indicates a buffer overrun (the kernel jumps to address 78787878, which is "xxxx") inside the kernel, which is of course very nasty (think ftp-upload!) and certainly gives you root access from anywhere, even from inside a chrooted environment. We didn't pursue this further. The best workaround at this time seems to be to uninstall reiserfs completely or not allow any user access (even indirect) to these volumes. While this individual bug might be easy to fix, we believe that other, similar bugs should be easy to find so reiserfs should not be trusted (it shouldn't be trusted to full user access for other reasons anyway, but it is still widely used). Unable to handle kernel paging request at virtual address 78787878 current->tss.cr3 = 0d074000, %cr3 = 0d074000 *pde = 00000000 Oops: 0002 CPU: 0 EIP: 0010:[<c013f875>] EFLAGS: 00010282 eax: 00000000 ebx: bfffe78c ecx: 00000000 edx: bfffe78c esi: ccbddd62 edi: 78787878 ebp: 00000300 esp: ccbddd3c ds: 0018 es: 0018 ss: 0018 Process bash (pid: 292, process nr: 54, stackpage=ccbdd000) Stack: c013f66a ccbddf6c cd100000 ccbddd62 0000030c c0136d49 00000700 00002013 00001000 7878030c 78787878 78787878 78787878 78787878 78787878 78787878 78787878 78787878 78787878 78787878 78787878 78787878 78787878 78787878 Call Trace: [<c013f66a>] [<c0136d49>] Code: 89 1f 8b 44 24 18 29 47 08 31 c0 5b 5e 5f 5d 81 c4 2c 01 00 -- -----==- | ----==-- _ | ---==---(_)__ __ ____ __ Marc Lehmann +-- --==---/ / _ \/ // /\ \/ / [EMAIL PROTECTED] |e| -=====/_/_//_/\_,_/ /_/\_\ XX11-RIPE --+ The choice of a GNU generation | | ------------------------------------------------------------ For Valentine's Day shop by Brand, Product, Price, Store and Location! http://shop.storerunner.com/shop.asp?pdef=home&trsid=3080 ---------------------------------------------- LIH is all for free speech. But it was created for a purpose. Violations of the rules of this list will result in stern action.
