This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 459577 - (CVE-2008-3528) CVE-2008-3528 Linux kernel ext[234] directory corruption denial of service
CVE-2008-3528 Linux kernel ext[234] directory corruption denial of service
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,source=redhat,reported=200...
: Security
Depends On: 459586 459587 459592 459593 459598 459599 459601 459604
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-20 07:38 EDT by Eugene Teo (Security Response)
Modified: 2011-09-29 23:35 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-09-29 23:35:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2008-08-20 07:38:07 EDT
Description of problem:
Eugene Teo reported that the ext2 filesystem code fails to properly handle corrupted data structures, leading to an exploitable denial of service issue when read or write operations are performed.
Comment 4 Eugene Teo (Security Response) 2008-08-20 08:47:43 EDT
It will loop in ext2_find_entry routine almost ad infinitum.

EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8654848, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8658944, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8663040, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8667136, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8671232, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8675328, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8679424, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8683520, inode=0, rec_len=0,
name_len=0
[...]
Comment 11 Eugene Teo (Security Response) 2008-08-28 04:52:21 EDT
EXT2-fs error (device loop0): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop0): ext2_readdir: bad page in #2
Comment 12 Eric Sandeen 2008-09-02 17:07:15 EDT
I've got some changes to make ext2_find_entry return an error on too many bad pages, and then associated changes to propagate that error up.

Incidentally ext3 suffers similarly when faced with the same sort of corruption, even though the codepaths are slightly different.

ext4 is therefore almost certainly broken as well.

I guess we should fix them all at the same time ....

-Eric
Comment 13 Eugene Teo (Security Response) 2008-09-02 23:04:46 EDT
(In reply to comment #12)
> I've got some changes to make ext2_find_entry return an error on too many bad
> pages, and then associated changes to propagate that error up.
> 
> Incidentally ext3 suffers similarly when faced with the same sort of
> corruption, even though the codepaths are slightly different.
> 
> ext4 is therefore almost certainly broken as well.
> 
> I guess we should fix them all at the same time ....

Aye. Thanks.
Comment 17 Eugene Teo (Security Response) 2008-10-20 20:56:10 EDT
Upstream commits:
- bd39597cbd42a784105a04010100e27267481c67 (ext2)
- cdbf6dba28e8e6268c8420857696309470009fd9 (ext3)
- 9d9f177572d9e4eba0f2e18523b44f90dd51fe74 (ext4)
Comment 18 Luis Claudio R. Goncalves 2008-10-28 14:56:38 EDT
Patches added to -90
Comment 19 errata-xmlrpc 2009-04-01 04:31:10 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0326 https://rhn.redhat.com/errata/RHSA-2009-0326.html

Note You need to log in before you can comment on or make changes to this bug.