Information leak in the Linux kernel ext2 implementation

Description: Information leak in the Linux kernel ext2 implementation
References: CAN-2005-0400
Authors: Mathieu Lafon <[email protected]>
Romain Francoise <[email protected]>

Arkoon Security Team Advisory - March 25, 2005
http://arkoon.net/advisories/ext2-make-empty-leak.txt
Revision: 1.0

1. Description

   The function ext2_make_empty() used in the Linux implementation of
   the ext2 filesystem is vulnerable to an information leak. Upon
   directory creation, a new block is obtained from kernel memory to
   store the initial directory entries ('.' and '…'). This block is
   used and written to disk uninitialized, leading to an information
   leak in the block's slack space.

   Depending on block size, up to 4072 (4096 - 2 * 12) bytes of kernel
   memory can be leaked on each directory creation. This quantity
   then decreases when additional entries are added to the directory
   block.

   Note: since the ext2 implementation uses the dir-in-pagecache
   design, any part of kernel memory is susceptible to be leaked, not
   only old disk/filesystem data.

2. Impact

   Leaked kernel memory can be found in ext2 filesystems; either on
   hard drives, removable media (USB thumb drives, flash cards),
   initrd images, UML filesystem images, etc…

   A quick scan reveals that most ext2 images found on the Internet
   contain information that was not meant to be distributed (ranging
   from xterm scrollback data to email tidbits).

3. Affected versions

   Linux 2.4.x series: all versions up to 2.4.29 (fixed in 2.4.30-rc2)
   Linux 2.6.x series: all versions up to 2.6.11.5 (fixed in 2.6.11.6)

4. Vendor response

   This vulnerability was acknowledged by the Kernel Security Team
   ([email protected]) and fixed in versions 2.4.30-rc2 and 2.6.11.6.

   The Common Vulnerabilities and Exposures (CVE) project has assigned
   the name CAN-2005-0400 to this issue.

5. Timeline

   03/15/2005 - Vulnerability discovered
   03/16/2005 - Vulnerability details sent to [email protected]
   03/16/2005 - Vulnerability confirmed by kernel maintainers
   03/25/2005 - Linux 2.6.11.6 released with fix
   03/25/2005 - Linux 2.4.30-rc2 released with fix
   04/01/2005 - Public disclosure

6. Credits

   This vulnerability was discovered by Romain Francoise and Mathieu
   Lafon of the Arkoon Security Team (http://www.arkoon.com/&#41;.

   Thanks to Andrew Morton, Marcelo Tosatti, Linus Torvalds, Alan Cox
   and Chris Wright for their quick response.

7. About us

   Arkoon Network Security's Security Team provides security
   intelligence to Arkoon's departments, partners and clients, and to
   the security community at large.

   For further information, see http://www.arkoon.com/.

8. Legal notices

   Copyright (C) 2005 Arkoon Network Security

   Disclaimer: this document and all information therein are provided
   "as is" without warranty of any kind, whether express or implied.

   Arkoon Network Security does not warrant or assume any legal
   liability or responsibility for the accuracy or completeness of
   this information, nor for the possible damage caused by the use of
   it.