Bug 459577 (CVE-2008-3528)

Summary: CVE-2008-3528 Linux kernel ext[234] directory corruption denial of service
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: unspecifiedCC: anton, bhu, dhoward, esandeen, jbacik, jpirko, kseifried, lgoncalv, lwang, peterm, rwheeler, security-response-team, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-30 03:35:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 459586, 459587, 459592, 459593, 459598, 459599, 459601, 459604    
Bug Blocks:    

Description Eugene Teo (Security Response) 2008-08-20 11:38:07 UTC 
Description of problem:
Eugene Teo reported that the ext2 filesystem code fails to properly handle corrupted data structures, leading to an exploitable denial of service issue when read or write operations are performed.
Comment 4 Eugene Teo (Security Response) 2008-08-20 12:47:43 UTC 
It will loop in ext2_find_entry routine almost ad infinitum.

EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8654848, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8658944, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8663040, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8667136, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8671232, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8675328, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8679424, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8683520, inode=0, rec_len=0,
name_len=0
[...]
Comment 11 Eugene Teo (Security Response) 2008-08-28 08:52:21 UTC 
EXT2-fs error (device loop0): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop0): ext2_readdir: bad page in #2
Comment 12 Eric Sandeen 2008-09-02 21:07:15 UTC 
I've got some changes to make ext2_find_entry return an error on too many bad pages, and then associated changes to propagate that error up.

Incidentally ext3 suffers similarly when faced with the same sort of corruption, even though the codepaths are slightly different.

ext4 is therefore almost certainly broken as well.

I guess we should fix them all at the same time ....

-Eric
Comment 13 Eugene Teo (Security Response) 2008-09-03 03:04:46 UTC 
(In reply to comment #12)
> I've got some changes to make ext2_find_entry return an error on too many bad
> pages, and then associated changes to propagate that error up.
> 
> Incidentally ext3 suffers similarly when faced with the same sort of
> corruption, even though the codepaths are slightly different.
> 
> ext4 is therefore almost certainly broken as well.
> 
> I guess we should fix them all at the same time ....

Aye. Thanks.
Comment 16 Eugene Teo (Security Response) 2008-09-18 01:37:56 UTC 
References:
http://lkml.org/lkml/2008/9/13/98
http://lkml.org/lkml/2008/9/13/99
http://lkml.org/lkml/2008/9/17/371
Comment 17 Eugene Teo (Security Response) 2008-10-21 00:56:10 UTC 
Upstream commits:
- bd39597cbd42a784105a04010100e27267481c67 (ext2)
- cdbf6dba28e8e6268c8420857696309470009fd9 (ext3)
- 9d9f177572d9e4eba0f2e18523b44f90dd51fe74 (ext4)
Comment 18 Luis Claudio R. Goncalves 2008-10-28 18:56:38 UTC 
Patches added to -90
Comment 19 errata-xmlrpc 2009-04-01 08:31:10 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0326 https://rhn.redhat.com/errata/RHSA-2009-0326.html