From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Date: 4 Apr 2005 12:52:25 +0200
Subject: [UNIX] Linux Kernel Ext2 Implementation Information Leak
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050404110405.8C35E5777@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Linux Kernel Ext2 Implementation Information Leak
------------------------------------------------------------------------
SUMMARY
Leaked kernel memory can be found in ext2 filesystems either on hard
drives, removable media (USB thumb drives, flash cards), initrd images,
UML filesystem images and others.
DETAILS
Vulnerable Systems:
* Linux version 2.4.29 and prior
* Linux version 2.4.11.5 and prior
Immune Systems:
* Linux version 2.4.30-rc2
* Linux version 2.6.11.6
The function ext2_make_empty() used in the Linux implementation of the
ext2 filesystem is vulnerable to an information leak. Upon directory
creation, a new block is obtained from kernel memory to store the initial
directory entries ('.' and '..'). This block is used and written to disk
uninitialized, leading to an information leak in the block's slack space.
Depending on block size, up to 4072 (4096 - 2 * 12) bytes of kernel memory
can be leaked on each directory creation. This quantity then decreases
when additional entries are added to the directory block.
Since the ext2 implementation uses the dir-in-pagecache design, any part
of kernel memory is susceptible to be leaked, not only old disk/filesystem
data.
Vendor Status:
This vulnerability was acknowledged by the Kernel Security Team and fixed
in versions 2.4.30-rc2 and 2.6.11.6.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0400>;
CAN-2005-0400
Disclosure Timeline:
03/15/2005 - Vulnerability discovered
03/16/2005 - Vulnerability details sent to security@kernel.org and
confirmed by kernel maintainers
03/25/2005 - Linux 2.6.11.6 and 2.4.30-rc2 released with fix
04/01/2005 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:security@arkoon.net.> Arkoon
Security Team .
The original article can be found at:
<http://arkoon.net/advisories/ext2-make-empty-leak.txt>;
http://arkoon.net/advisories/ext2-make-empty-leak.txt
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
