459577 – (CVE-2008-3528) CVE-2008-3528 Linux kernel ext[234] directory corruption denial of service

Bug 459577 (CVE-2008-3528) - CVE-2008-3528 Linux kernel ext[234] directory corruption denial of service

Summary: CVE-2008-3528 Linux kernel ext[234] directory corruption denial of service

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-3528
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	459586 459587 459592 459593 459598 459599 459601 459604
Blocks:
TreeView+	depends on / blocked

Reported:	2008-08-20 11:38 UTC by Eugene Teo (Security Response)
Modified:	2019-09-29 12:26 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-09-30 03:35:06 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:0972	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2008-11-19 13:44:42 UTC
Red Hat Product Errata	RHSA-2009:0009	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2009-01-22 10:43:54 UTC
Red Hat Product Errata	RHSA-2009:0326	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2009-04-01 08:28:02 UTC

Description Eugene Teo (Security Response) 2008-08-20 11:38:07 UTC

Description of problem:
Eugene Teo reported that the ext2 filesystem code fails to properly handle corrupted data structures, leading to an exploitable denial of service issue when read or write operations are performed.

Comment 4 Eugene Teo (Security Response) 2008-08-20 12:47:43 UTC

It will loop in ext2_find_entry routine almost ad infinitum.

EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8654848, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8658944, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8663040, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8667136, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8671232, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8675328, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8679424, inode=0, rec_len=0,
name_len=0
EXT2-fs error (device loop(7,0)): ext2_check_page: bad entry in directory #2:
rec_len is smaller than minimal - offset=8683520, inode=0, rec_len=0,
name_len=0
[...]

Comment 11 Eugene Teo (Security Response) 2008-08-28 08:52:21 UTC

EXT2-fs error (device loop0): ext2_check_page: bad entry in directory #2: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0
EXT2-fs error (device loop0): ext2_readdir: bad page in #2

Comment 12 Eric Sandeen 2008-09-02 21:07:15 UTC

I've got some changes to make ext2_find_entry return an error on too many bad pages, and then associated changes to propagate that error up.

Incidentally ext3 suffers similarly when faced with the same sort of corruption, even though the codepaths are slightly different.

ext4 is therefore almost certainly broken as well.

I guess we should fix them all at the same time ....

-Eric

Comment 13 Eugene Teo (Security Response) 2008-09-03 03:04:46 UTC

(In reply to comment #12)
> I've got some changes to make ext2_find_entry return an error on too many bad
> pages, and then associated changes to propagate that error up.
> 
> Incidentally ext3 suffers similarly when faced with the same sort of
> corruption, even though the codepaths are slightly different.
> 
> ext4 is therefore almost certainly broken as well.
> 
> I guess we should fix them all at the same time ....

Aye. Thanks.

Comment 16 Eugene Teo (Security Response) 2008-09-18 01:37:56 UTC

References:
http://lkml.org/lkml/2008/9/13/98
http://lkml.org/lkml/2008/9/13/99
http://lkml.org/lkml/2008/9/17/371

Comment 17 Eugene Teo (Security Response) 2008-10-21 00:56:10 UTC

Upstream commits:
- bd39597cbd42a784105a04010100e27267481c67 (ext2)
- cdbf6dba28e8e6268c8420857696309470009fd9 (ext3)
- 9d9f177572d9e4eba0f2e18523b44f90dd51fe74 (ext4)

Comment 18 Luis Claudio R. Goncalves 2008-10-28 18:56:38 UTC

Patches added to -90

Comment 19 errata-xmlrpc 2009-04-01 08:31:10 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0326 https://rhn.redhat.com/errata/RHSA-2009-0326.html

Note You need to log in before you can comment on or make changes to this bug.