Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)

Stefan Traby (stefan@hello-penguin.com)
Wed, 10 Jan 2001 18:03:53 +0100


On Wed, Jan 10, 2001 at 07:02:08PM +0300, Vladimir V. Saveliev wrote:

> Hmm, wouldn't it make existing long named files unreachable?

This is not of primary interest. Security first.
The only way to recover those files secure without risking a crash
is maybe to let fsck rename those long files after the patch.

Before the 255-limit-patch a rename(2) may work, but without a directory
lookup from userland; quite hard to do.

When I played with Marc's case, I needed to reboot 2 times because I
tried to use tab-expansion on bash to get the filename; which caused
a machine freeze.

perl -e 'rmdir "x" x 768' worked,

or under bash

rmdir <ESC>768x should work, too.

Really, the 255-limit is essential as long as "struct dirent/64" has
d_name[255] hard coded. Somebody should send Drepper a patch;
I did not understand why he accepted a NAME_MAX of 4032 patch for
reiserfs while knowing the hardcoded dirent limit.

-- 

ciao - Stefan

" ( cd /lib ; ln -s libBrokenLocale-2.2.so libNiedersachsen.so ) " Stefan Traby Linux/ia32 fax: +43-3133-6107-9 Mitterlasznitzstr. 13 Linux/alpha phone: +43-3133-6107-2 8302 Nestelbach Linux/sparc http://www.hello-penguin.com Austria mailto://st.traby@opengroup.org Europe mailto://stefan@hello-penguin.com - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/