-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Name: Linux kernel Version: up to 2.2.20 and 2.4.18 Homepage: http://www.kernel.org/ Author: Wojciech Purczynski <cliphat_private> Date: March 26, 2002 Issue: ====== In case of excessively long path names d_path kernel internal function returns truncated trailing components of a path name instead of an error value. As this function is called by getcwd(2) system call and do_proc_readlink() function, false information may be returned to user-space processes. Description: ============ Linux is a clone of the operating system Unix, written from scratch by Linus Torvalds with assistance from a loosely-knit team of hackers across the Net. It aims towards POSIX and Single UNIX Specification compliance. Details: ======== d_path kernel function resolves a string of absolute path name of a dentry passed as an argument to the function. The path is a concatenation of subsequent path components starting from trailing path component. The concatenated path name is stored into a fixed-length buffer of PAGE_SIZE bytes. If a dentry points to a path that exceeds PAGE_SIZE - 1 characters length, leading path components are not written to the buffer and function returns truncated path without an error value. Because getcwd(2) system call uses d_path() function, it may return invalid path to the user-space process. However, if a returned path is longer than user-space buffer a correct error value is returned. readlink(2) system call called on proc filesystem uses do_proc_readlink() function which is also vulnerable to d_path() bug. Impact: ======= Privileged process may be tricked to think it is inside of arbitrary directory. Other scenarios are possible if readlink() is used on files on proc filesystem (like "/proc/self/exe"). PS: Please CC to securityat_private as I may not be subscribed to the list. - -- Wojciech Purczynski iSEC Security Research http://isec.pl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8oHpKC+8U3Z5wpu4RAn6qAJ4seIO2xfXvrHmTMFQoMkGus23fJwCgjka7 ew84vFEFTO8lI7PQgEdyG0c= =sEfh -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue Mar 26 2002 - 13:39:13 PST