Bug 459577 (CVE-2008-3528) - CVE-2008-3528 Linux kernel ext[234] directory corruption denial of service
Summary: CVE-2008-3528 Linux kernel ext[234] directory corruption denial of service
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-3528
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,source=redhat,reported=200...
Depends On: 459586 459587 459592 459593 459598 459599 459601 459604
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-20 11:38 UTC by Eugene Teo (Security Response)
Modified: 2019-06-08 12:34 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-30 03:35:06 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0972 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-11-19 13:44:42 UTC
Red Hat Product Errata RHSA-2009:0009 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-01-22 10:43:54 UTC
Red Hat Product Errata RHSA-2009:0326 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-04-01 08:28:02 UTC

Description Eugene Teo (Security Response) 2008-08-20 11:38:07 UTC
Description of problem:
Eugene Teo reported that the ext2 filesystem code fails to properly handle corrupted data structures, leading to an exploitable denial of service issue when read or write operations are performed.

Comment 4 Eugene Teo (Security Response) 2008-08-20 12:47:43 UTC
It will loop in ext2_find_entry routine almost ad infinitum.

EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8654848, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8658944, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8663040, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8667136, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8671232, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8675328, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8679424, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8683520, inode=0, rec_len=0,
name_len=0
[...]

Comment 11 Eugene Teo (Security Response) 2008-08-28 08:52:21 UTC
EXT2-fs error (device loop0): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop0): ext2_readdir: bad page in #2

Comment 12 Eric Sandeen 2008-09-02 21:07:15 UTC
I've got some changes to make ext2_find_entry return an error on too many bad pages, and then associated changes to propagate that error up.

Incidentally ext3 suffers similarly when faced with the same sort of corruption, even though the codepaths are slightly different.

ext4 is therefore almost certainly broken as well.

I guess we should fix them all at the same time ....

-Eric

Comment 13 Eugene Teo (Security Response) 2008-09-03 03:04:46 UTC
(In reply to comment #12)
> I've got some changes to make ext2_find_entry return an error on too many bad
> pages, and then associated changes to propagate that error up.
> 
> Incidentally ext3 suffers similarly when faced with the same sort of
> corruption, even though the codepaths are slightly different.
> 
> ext4 is therefore almost certainly broken as well.
> 
> I guess we should fix them all at the same time ....

Aye. Thanks.

Comment 17 Eugene Teo (Security Response) 2008-10-21 00:56:10 UTC
Upstream commits:
- bd39597cbd42a784105a04010100e27267481c67 (ext2)
- cdbf6dba28e8e6268c8420857696309470009fd9 (ext3)
- 9d9f177572d9e4eba0f2e18523b44f90dd51fe74 (ext4)

Comment 18 Luis Claudio R. Goncalves 2008-10-28 18:56:38 UTC
Patches added to -90

Comment 19 errata-xmlrpc 2009-04-01 08:31:10 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0326 https://rhn.redhat.com/errata/RHSA-2009-0326.html


Note You need to log in before you can comment on or make changes to this bug.