Description of problem: Eugene Teo reported that the ext2 filesystem code fails to properly handle corrupted data structures, leading to an exploitable denial of service issue when read or write operations are performed.
It will loop in ext2_find_entry routine almost ad infinitum. EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=8654848, inode=0, rec_len=0, name_len=0 EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=8658944, inode=0, rec_len=0, name_len=0 EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=8663040, inode=0, rec_len=0, name_len=0 EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=8667136, inode=0, rec_len=0, name_len=0 EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=8671232, inode=0, rec_len=0, name_len=0 EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=8675328, inode=0, rec_len=0, name_len=0 EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=8679424, inode=0, rec_len=0, name_len=0 EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=8683520, inode=0, rec_len=0, name_len=0 [...]
EXT2-fs error (device loop0): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0 EXT2-fs error (device loop0): ext2_readdir: bad page in #2
I've got some changes to make ext2_find_entry return an error on too many bad pages, and then associated changes to propagate that error up. Incidentally ext3 suffers similarly when faced with the same sort of corruption, even though the codepaths are slightly different. ext4 is therefore almost certainly broken as well. I guess we should fix them all at the same time .... -Eric
(In reply to comment #12) > I've got some changes to make ext2_find_entry return an error on too many bad > pages, and then associated changes to propagate that error up. > > Incidentally ext3 suffers similarly when faced with the same sort of > corruption, even though the codepaths are slightly different. > > ext4 is therefore almost certainly broken as well. > > I guess we should fix them all at the same time .... Aye. Thanks.
References: http://lkml.org/lkml/2008/9/13/98 http://lkml.org/lkml/2008/9/13/99 http://lkml.org/lkml/2008/9/17/371
Upstream commits: - bd39597cbd42a784105a04010100e27267481c67 (ext2) - cdbf6dba28e8e6268c8420857696309470009fd9 (ext3) - 9d9f177572d9e4eba0f2e18523b44f90dd51fe74 (ext4)
Patches added to -90
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:0326 https://rhn.redhat.com/errata/RHSA-2009-0326.html