Bug 247726 - (CVE-2007-2878) CVE-2007-2878 VFAT compat ioctls DoS on 64-bit
CVE-2007-2878 VFAT compat ioctls DoS on 64-bit
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity high
: ---
: ---
Assigned To: Eric Sandeen
impact=important,source=lkml,reported...
: Security
Depends On: 250665 250666 253316 253317
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-10 22:59 EDT by Marcel Holtmann
Modified: 2007-11-01 09:33 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-01 09:33:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Upstream supporting patch, backported for RHEL5 (4.79 KB, patch)
2007-07-11 15:10 EDT, Eric Sandeen
no flags Details | Diff
Upstream resolution patch, backported for RHEL5 (9.60 KB, patch)
2007-07-11 15:12 EDT, Eric Sandeen
no flags Details | Diff

  None (edit)
Description Marcel Holtmann 2007-07-10 22:59:31 EDT
The VFAT compat ioctls in the Linux kernel before 2.6.21.2, when run on a 64-bit
system, allow local users to corrupt a kernel_dirent struct and cause a denial
of service (system crash) via unknown vectors.

http://www.securityfocus.com/bid/24134
Comment 3 Eric Sandeen 2007-07-11 15:10:16 EDT
Created attachment 158990 [details]
Upstream supporting patch, backported for RHEL5

Not strictly necessary, but this upstream patch (see
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=188f83dfe0eeecd1427d0d255cc97dbf7ef6b4b7

) eases the backport of the fix.  It's a simple code move of fat compat ioctls
into fs/fat/dir.c from fs/compat_ioctl.c
Comment 4 Eric Sandeen 2007-07-11 15:12:52 EDT
Created attachment 158991 [details]
Upstream resolution patch, backported for RHEL5

The actual fix, applies on top of the last attachment.
Comment 5 Eric Sandeen 2007-07-11 15:16:40 EDT
Note also that this changes KABI on fat_* symbols but I don't think they're in
the whitelist - Early on, I asked them to be removed, in any case...

--- /build/obj/kabi-test/Module.symvers.orig    2007-06-14 13:56:51.970823381 -0500
+++ /build/obj/kabi-test/Module.symvers 2007-07-11 13:23:33.168300526 -0500
-0x530aec08     fat_dir_empty   fs/fat/fat      EXPORT_SYMBOL_GPL
+0xc5967420     fat_dir_empty   fs/fat/fat      EXPORT_SYMBOL_GPL
-0xfcca0992     fat_add_entries fs/fat/fat      EXPORT_SYMBOL_GPL
+0x705e2f60     fat_add_entries fs/fat/fat      EXPORT_SYMBOL_GPL
-0x41181e25     fat_get_dotdot_entry    fs/fat/fat      EXPORT_SYMBOL_GPL
+0xba4b0f17     fat_get_dotdot_entry    fs/fat/fat      EXPORT_SYMBOL_GPL
-0x4ce5aa5a     fat_search_long fs/fat/fat      EXPORT_SYMBOL_GPL
+0x9f0ba2c5     fat_search_long fs/fat/fat      EXPORT_SYMBOL_GPL
-0x0bca81db     fat_alloc_new_dir       fs/fat/fat      EXPORT_SYMBOL_GPL
+0xa524a16d     fat_alloc_new_dir       fs/fat/fat      EXPORT_SYMBOL_GPL
-0xb54f6db5     fat_scan        fs/fat/fat      EXPORT_SYMBOL_GPL
+0xf2d7dd2e     fat_scan        fs/fat/fat      EXPORT_SYMBOL_GPL
-0x8180a222     fat_remove_entries      fs/fat/fat      EXPORT_SYMBOL_GPL
+0x117f8975     fat_remove_entries      fs/fat/fat      EXPORT_SYMBOL_GPL
Comment 8 Eric Sandeen 2007-08-07 18:01:33 EDT
So far I actually cannot reproduce this on rhel-4.6, need to look into why that is.
Comment 9 Eric Sandeen 2007-08-07 18:04:29 EDT
Ugh, scratch that, forgot to build test as 32 bit binary on rhel4.  Yes, it's
vulnerable.

Note You need to log in before you can comment on or make changes to this bug.