CVE-2010-2943: Infoleak

First published: Wed Aug 18 2010(Updated: )

Description of problem: This series closes a recently discovered problem in XFS filehandle conversion. On systems where inodes are dynamically deleted, XFS does not adequately verify the inode numbers in the filehandles, which results in reading stale inodes from disk and potentially returning them as valid files. Because these unlinked inodes were never zeroed out when the chunk was deallocated, some inodes in the chunk can still appear to have to data extents attached to them. This can lead to stale data exposure, exposure of active data and potentially overwriting of active data if the stale extents referenced in the unlinked inodes have been re-allocated. Both NFS filehandles and local filehandles provided through libhandle have this same problem. libhandle requires root permissions to use the interface, so it is not exposing information that you can't get more easily with other means (e.g. xfs_db or reading directly form the block device), so there isn't really an issue here. For NFS, we may incorrectly accept stale file handles for unlinked inodes after a server reboot if the unlinked inodes have not been overwritten leading to the above issues being triggered if multiple NFS clients are accessing the same files. Christoph's make-bulkstat-coherent patch is the basis for this series as bulkstat can also expose unlinked inodes and information about them back to userspace as it makes the same assumptions about inode lookups as the file handle interfaces. As a result, the first two patches of the series make up the real bug fix. The last two patches make it clear we are lookuping up untrusted inode numbers and clear away a shortcut that these interfaces used that we do not want used any more. Hence for backports to other kernels, only the first two patches are necessary. The test program that demonstrates the issue via the open_by_handle interface can be found here: <a href="http://oss.sgi.com/archives/xfs/2010-06/msg00191.html">http://oss.sgi.com/archives/xfs/2010-06/msg00191.html</a> Version 2: - removed useless ip-&gt;i_imap.im_blkno initialisation in xfs_iread() - reworked a comment refering to bulkstat when it should refer to untrusted inodes. - removed typedefs from xfs_imap_lookup() - killed useless error logging from xfs_imap_lookup() - rearranged the logic flow of xfs_imap_lookup() to remove the gotos. [PATCH 0/4, V2] xfs: validate inode numbers in file handles correctly <a href="http://article.gmane.org/gmane.comp.file-systems.xfs.general/33767">http://article.gmane.org/gmane.comp.file-systems.xfs.general/33767</a> [PATCH 1/4] xfs: always use iget in bulkstat <a href="http://article.gmane.org/gmane.comp.file-systems.xfs.general/33770">http://article.gmane.org/gmane.comp.file-systems.xfs.general/33770</a> [PATCH 2/4] xfs: validate untrusted inode numbers during lookup <a href="http://article.gmane.org/gmane.comp.file-systems.xfs.general/33771">http://article.gmane.org/gmane.comp.file-systems.xfs.general/33771</a> [PATCH 3/4] xfs: rename XFS_IGET_BULKSTAT to XFS_IGET_UNTRUSTED <a href="http://article.gmane.org/gmane.comp.file-systems.xfs.general/33768">http://article.gmane.org/gmane.comp.file-systems.xfs.general/33768</a> [PATCH 4/4] xfs: remove block number from inode lookup code <a href="http://article.gmane.org/gmane.comp.file-systems.xfs.general/33769">http://article.gmane.org/gmane.comp.file-systems.xfs.general/33769</a> [PATCH] xfsqa: test open_by_handle() on unlinked and freed inode cluster <a href="http://oss.sgi.com/archives/xfs/2010-06/msg00191.html">http://oss.sgi.com/archives/xfs/2010-06/msg00191.html</a>

Credit: secalert@redhat.com secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-historical
• collector/nvd-index
• agent/type
• agent/first-publish-date
• agent/last-modified-date
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2010-2943
• collector/launchpad-cve
• source/Launchpad
• agent/author
• agent/softwarecombine
• agent/weakness
• agent/remedy
• agent/severity
• agent/description
• collector/nvd-cve
• source/NVD
• agent/software-canonical-lookup
• collector/security-tracker-debian
• source/Debian
• agent/event
• agent/references
• agent/tags
• collector/usn-cve
• source/Ubuntu
• vendor/linux
• canonical/linux linux kernel
• vendor/canonical
• canonical/canonical ubuntu linux
• version/canonical ubuntu linux/10.10
• version/canonical ubuntu linux/9.10
• version/canonical ubuntu linux/10.04
• version/canonical ubuntu linux/6.06
• vendor/vmware
• canonical/vmware esx
• version/vmware esx/4.1
• version/vmware esx/4.0
• vendor/avaya
• canonical/avaya aura system manager
• version/avaya aura system manager/6.0
• version/avaya aura system manager/5.2
• canonical/avaya aura communication manager
• version/avaya aura communication manager/5.2
• canonical/avaya aura system platform
• version/avaya aura system platform/1.1
• version/avaya aura system platform/6.0
• version/avaya aura system platform/6.0-sp1
• version/avaya aura system manager/6.1
• version/avaya aura system manager/6.1.1
• canonical/avaya aura session manager
• version/avaya aura session manager/1.1
• version/avaya aura session manager/5.2
• version/avaya aura session manager/6.0
• canonical/avaya aura presence services
• version/avaya aura presence services/6.1
• version/avaya aura presence services/6.1.1
• version/avaya aura presence services/6.0
• canonical/avaya iq
• version/avaya iq/5.1
• version/avaya iq/5.0
• canonical/avaya aura voice portal
• version/avaya aura voice portal/5.0
• version/avaya aura voice portal/5.1
• version/avaya aura voice portal/5.1-sp1
• package-manager/debian