Bug 459577 (CVE-2008-3528)
Summary: | CVE-2008-3528 Linux kernel ext[234] directory corruption denial of service | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | anton, bhu, dhoward, esandeen, jbacik, jpirko, kseifried, lgoncalv, lwang, peterm, rwheeler, security-response-team, vgoyal, williams |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-09-30 03:35:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 459586, 459587, 459592, 459593, 459598, 459599, 459601, 459604 | ||
Bug Blocks: |
Description
Eugene Teo (Security Response)
2008-08-20 11:38:07 UTC
It will loop in ext2_find_entry routine almost ad infinitum. EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=8654848, inode=0, rec_len=0, name_len=0 EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=8658944, inode=0, rec_len=0, name_len=0 EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=8663040, inode=0, rec_len=0, name_len=0 EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=8667136, inode=0, rec_len=0, name_len=0 EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=8671232, inode=0, rec_len=0, name_len=0 EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=8675328, inode=0, rec_len=0, name_len=0 EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=8679424, inode=0, rec_len=0, name_len=0 EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=8683520, inode=0, rec_len=0, name_len=0 [...] EXT2-fs error (device loop0): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0 EXT2-fs error (device loop0): ext2_readdir: bad page in #2 I've got some changes to make ext2_find_entry return an error on too many bad pages, and then associated changes to propagate that error up. Incidentally ext3 suffers similarly when faced with the same sort of corruption, even though the codepaths are slightly different. ext4 is therefore almost certainly broken as well. I guess we should fix them all at the same time .... -Eric (In reply to comment #12) > I've got some changes to make ext2_find_entry return an error on too many bad > pages, and then associated changes to propagate that error up. > > Incidentally ext3 suffers similarly when faced with the same sort of > corruption, even though the codepaths are slightly different. > > ext4 is therefore almost certainly broken as well. > > I guess we should fix them all at the same time .... Aye. Thanks. References: http://lkml.org/lkml/2008/9/13/98 http://lkml.org/lkml/2008/9/13/99 http://lkml.org/lkml/2008/9/17/371 Upstream commits: - bd39597cbd42a784105a04010100e27267481c67 (ext2) - cdbf6dba28e8e6268c8420857696309470009fd9 (ext3) - 9d9f177572d9e4eba0f2e18523b44f90dd51fe74 (ext4) Patches added to -90 This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:0326 https://rhn.redhat.com/errata/RHSA-2009-0326.html |