summary of responses:

-----------------------------------------
From: Allen Bolderoff <allengist.net.au>

latest reiserfs patches and 2.4 kernel is fine here

------------------------------------------------------
From: "Brandon S. Allbery KF8NH" <allberyece.cmu.edu>

<johnVMLINUX.NET> wrote:
+-----
| I can't reproduce this.
+--->8

I've just tried it on stock SuSE 6.4 and 7.0 and also cannot reproduce it.

---------------------------------------------
From: "John H. Robinson, IV" <jhrivucsd.edu>

[jaqqueosiris:/tmp/chk]% uname -a
Linux osiris 2.2.18 [classified] Sat Jan 6 11:19:04 PST 2001 i586 unknown
[jaqqueosiris:/tmp/chk]% mkdir "$(perl -e 'print "x" x 768')"

no oops, but a directory that cannot be removed.
linux kernel 2.2.18 with reiserfs-3.5.29 patch

---------------------------
From: lloy0076rebel.net.au

No oops maybe, BUT if you setup an evil script to make so many that the various kernel structures got too full (or it filled the whole partition/disk up) then....
And at 650Mhz my computer could do that quite easily...

----------------------------------------------
From: Torge Szczepanek <bugtraqszczepanek.de>

I tested it under a fresh install of Suse Linux 7.0 using the Suse Linux
7.0 Standard kernel Version 2.2.16 (includes ReiserFS version 3.5.23).

I could not reproduce a kernel oops

------------------------------------
From: Dj-Ohki <dj-ohkidigipimp.org>

ive tried this on my machines. both over nfs and local reiserfs mounted
dirs. both machines are running 2.4.0-test7 with reiserfs 3.6.14. it
seems not to manifest in this version.

--------------------------------------------
From: Maarten Bukkems <MBukkemspcl-hage.nl>

Kernel 2.4.0-test11, reiserfs 3.6.19 on SuSE 6.4 doesn't seem to be
vulnerable. (even tried with 2048 chars .. no problem at all)

-----------------------------------
From: Dirk Mueller <dmuellgmx.net>

If it helps, I'm using 2.2.18+reiserfs-3.5.29+ide-dma patch and I cannot
reproduce ANYTHING said in the referred message. It works perfectly fine.
I was using gcc 2.95.2 to compile the kernel.

------------------------------
From: bugtraqjedi.claranet.fr

  ReiserFS 3.6.24 (kernel 2.4.0ac4) doesn't seem vulnerable to this attack.
No segfault, no kernel oops and proper operations.
  But after having discovered such a vulnerability, ReiserFS definitely
needs an audit, because other exploitable buffer overflows may still be
with us in 3.6.x .

readdir() doesn't find the xxxxxxx directory. rm -r x* would give you
ENOENT.

  Tests show that such a directory can sucessfully be created, accessed (cd
"$(perl -e 'print "x" x 4032')"), chmod'ed, renamed and deleted. But
readdir() on the parent directory fails to find it. However it may be a
ReiserFS bug (unproper file length limitation) or a VFS bug (unable to deal
with so long names) .

----------------------------------------------------------------------
From: =?iso-8859-2?Q?Magos=E1nyi_=C1rp=E1d?= <magbunuel.tii.matav.hu>

Negative. What versions it is reproducible on?

kernel: 2.4.0
disk format: 3.5.x
reiserfs version: 3.6.24

> While this individual bug might be easy to fix, we believe that other,
> similar bugs should be easy to find so reiserfs should not be trusted (it
> shouldn't be trusted to full user access for other reasons anyway, but it
> is still widely used).
>=20

Could you elaborate on it?

------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]