xorl %eax, %eax

CVE-2008-3528: Linux kernel Ext[234] DoS?

leave a comment »

This is an old (and really crappy) bug, it was reported by Eugene Teo on 20 August 2008 and it was referring to release of the Linux kernel. It is nothing really amazing but it won’t hurt anyone learning about one more bug so… Let’s have a look at External 2 filesystem’s directory parsing routines which can be found under fs/ext2/dir.c. Here is an interesting part…

106 static void ext2_check_page(struct page *page)
107 {
108        struct inode *dir = page->mapping->host;
118        if ((dir->i_size >> PAGE_CACHE_SHIFT) == page->index) {
119                limit = dir->i_size & ~PAGE_CACHE_MASK;
120                if (limit & (chunk_size - 1))
121                        goto Ebadsize;
146        /* Too bad, we had an error */
148 Ebadsize:
149        ext2_error(sb, "ext2_check_page",
150                "size of directory #%lu is not a multiple of chunk size",
151                dir->i_ino
152        );
153        goto fail;
182 fail:
183        SetPageChecked(page);
184        SetPageError(page);
185 }

So… nothing really bad seems to be happening here. In fact, the code is correct but if dir->size has some corrupted value which will lead us to lines 120-121, it will jump into Ebadsize (Error Bad Size), this can flood the console with useless messages. This was simply patched like this:

-static void ext2_check_page(struct page *page)
+static void ext2_check_page(struct page *page, int quiet)

So now, ext2_check_pages() also takes as an argument an integer used as a flag (this is bad.) to represent wether it should output error messages or not. And of course, this is checked on the fail label:

-    ext2_error(sb, "ext2_check_page",
-        "size of directory #%lu is not a multiple of chunk size",
-        dir->i_ino
-    );
+    if (!quiet)
+        ext2_error(sb, __func__,
+            "size of directory #%lu is not a multiple "
+            "of chunk size", dir->i_ino);

Of course, this could happen on other cases as well, just an addition of if(!quiet) { } clause solved the problem… There is no need to paste the rest of the patch, you got the idea. Same bugs where also patched on Ext3 and Ext4 filesystems. I totally agree with Theodore Ts’o regarding this bug.

Written by xorl

March 27, 2009 at 15:40

Posted in linux, vulnerabilities

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s