lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <bug-40512-13602@https.bugzilla.kernel.org/>
Date:	Thu, 4 Aug 2011 01:51:00 GMT
From:	bugzilla-daemon@...zilla.kernel.org
To:	linux-ext4@...r.kernel.org
Subject: [Bug 40512] New: EXT4_IOC_MIGRATE is dangerous on directories

https://bugzilla.kernel.org/show_bug.cgi?id=40512

           Summary: EXT4_IOC_MIGRATE is dangerous on directories
           Product: File System
           Version: 2.5
    Kernel Version: 2.6.39
          Platform: All
        OS/Version: Linux
              Tree: Mainline
            Status: NEW
          Severity: high
          Priority: P1
         Component: ext4
        AssignedTo: fs_ext4@...nel-bugs.osdl.org
        ReportedBy: benjamin@...hon.org
        Regression: No


Using EXT4_IOC_MIGRATE on a non-extent directory seems to have terrible
consequences. Consider the following example. "dir" is a old directory without
extents.

$ ls -la dir/
total 12
drwxr-xr-x  2 benjamin benjamin 4096 Aug  3 20:42 .
drwxr-xr-x 47 benjamin benjamin 4096 Aug  3 20:42 ..
-rw-r-----  1 benjamin benjamin    7 Aug  3 20:42 something.txt
$ cat migrate.c
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>

int
main(int argc, char **argv)
{
    const char *fn = argv[1];
    int fd, ret;

    fd = open(fn, O_RDONLY);
    /* This invokes EXT4_IOC_MIGRATE. */
    ret = ioctl(fd, 0x6609);
    close(fd);
    if (ret < 0) {
        fprintf(stderr, "ioctl failed\n");
        return 1;
    }
    printf("Migration successful?\n");
    return 0;
}
$ gcc -o migrate migrate.c
$ ./migrate dir
Migration successful?
$ ls -la dir
total 0 # !!!!!!!!!!!!!!

Also, we why are you allowed to migrate stuff with only O_RDONLY access?

-- 
Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ