Linux ext2_make_empty() Discloses Information to Remote and Local Users
SecurityTracker Alert ID: 1013630|
SecurityTracker URL: http://securitytracker.com/id/1013630
(Links to External Site)
Date: Apr 2 2005
Disclosure of system information, Disclosure of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): prior to 2.4.30-rc2, 188.8.131.52|
An information disclosure vulnerability was reported in the Linux kernel ext2 implementation. A remote or local user can view potentially sensitive kernel memory contents.|
The ext2_make_empty() function does not properly clear filesystem contents when creating a directory. The block written to store the '.' and '..' directory entries is not properly initialized. As a result, approximately 4k of kernel memory may be leaked into the file system for each directory created.
A local or remote user with access to the filesystem (or filesystem images or devices) can obtain potentially sensitive information.
The vendor was notified on March 16, 2005.
The original advisory is available at:
Mathieu Lafon and Romain Francoise from Arkoon Security Team reported this vulnerability.
A user with access to the filesystem (or filesystem images or devices) can view portions of kernel memory.|
The vendor has issued fixed versions (2.4.30-rc2, 184.108.40.206), available at:|
Vendor URL: www.kernel.org/ (Links to External Site)
Access control error|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Fri, 01 Apr 2005 14:59:42 +0200|
Subject: Information leak in the Linux kernel ext2 implementation
Description: Information leak in the Linux kernel ext2 implementation
Authors: Mathieu Lafon <firstname.lastname@example.org>
Romain Francoise <email@example.com>
Arkoon Security Team Advisory - March 25, 2005
The function ext2_make_empty() used in the Linux implementation of
the ext2 filesystem is vulnerable to an information leak. Upon
directory creation, a new block is obtained from kernel memory to
store the initial directory entries ('.' and '..'). This block is
used and written to disk uninitialized, leading to an information
leak in the block's slack space.
Depending on block size, up to 4072 (4096 - 2 * 12) bytes of kernel
memory can be leaked on each directory creation. This quantity
then decreases when additional entries are added to the directory
Note: since the ext2 implementation uses the dir-in-pagecache
design, any part of kernel memory is susceptible to be leaked, not
only old disk/filesystem data.
Leaked kernel memory can be found in ext2 filesystems; either on
hard drives, removable media (USB thumb drives, flash cards),
initrd images, UML filesystem images, etc...
A quick scan reveals that most ext2 images found on the Internet
contain information that was not meant to be distributed (ranging
from xterm scrollback data to email tidbits).
3. Affected versions
Linux 2.4.x series: all versions up to 2.4.29 (fixed in 2.4.30-rc2)
Linux 2.6.x series: all versions up to 220.127.116.11 (fixed in 18.104.22.168)
4. Vendor response
This vulnerability was acknowledged by the Kernel Security Team
(firstname.lastname@example.org) and fixed in versions 2.4.30-rc2 and 22.214.171.124.
The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2005-0400 to this issue.
03/15/2005 - Vulnerability discovered
03/16/2005 - Vulnerability details sent to email@example.com
03/16/2005 - Vulnerability confirmed by kernel maintainers
03/25/2005 - Linux 126.96.36.199 released with fix
03/25/2005 - Linux 2.4.30-rc2 released with fix
04/01/2005 - Public disclosure
This vulnerability was discovered by Romain Francoise and Mathieu
Lafon of the Arkoon Security Team (http://www.arkoon.com/).
Thanks to Andrew Morton, Marcelo Tosatti, Linus Torvalds, Alan Cox
and Chris Wright for their quick response.
7. About us
Arkoon Network Security's Security Team provides security
intelligence to Arkoon's departments, partners and clients, and to
the security community at large.
For further information, see http://www.arkoon.com/.
8. Legal notices
Copyright (C) 2005 Arkoon Network Security
Disclaimer: this document and all information therein are provided
"as is" without warranty of any kind, whether express or implied.
Arkoon Network Security does not warrant or assume any legal
liability or responsibility for the accuracy or completeness of
this information, nor for the possible damage caused by the use of