freebsd-nq/sbin/fsck_ffs
Kirk McKusick 0061238fb0 This update eliminates a kernel stack disclosure bug in UFS/FFS
directory entries that is caused by uninitialized directory entry
padding written to the disk. It can be viewed by any user with read
access to that directory. Up to 3 bytes of kernel stack are disclosed
per file entry, depending on the the amount of padding the kernel
needs to pad out the entry to a 32 bit boundry. The offset in the
kernel stack that is disclosed is a function of the filename size.
Furthermore, if the user can create files in a directory, this 3
byte window can be expanded 3 bytes at a time to a 254 byte window
with 75% of the data in that window exposed. The additional exposure
is done by removing the entry, creating a new entry with a 4-byte
longer name, extracting 3 more bytes by reading the directory, and
repeating until a 252 byte name is created.

This exploit works in part because the area of the kernel stack
that is being disclosed is in an area that typically doesn't change
that often (perhaps a few times a second on a lightly loaded system),
and these file creates and unlinks themselves don't overwrite the
area of kernel stack being disclosed.

It appears that this bug originated with the creation of the Fast
File System in 4.1b-BSD (Circa 1982, more than 36 years ago!), and
is likely present in every Unix or Unix-like system that uses
UFS/FFS. Amazingly, nobody noticed until now.

This update also adds the -z flag to fsck_ffs to have it scrub
the leaked information in the name padding of existing directories.
It only needs to be run once on each UFS/FFS filesystem after a
patched kernel is installed and running.

Submitted by: David G. Lawrence <dg@dglawrence.com>
Reviewed by:  kib
MFC after:    1 week
2019-05-03 21:54:14 +00:00
..
dir.c This update eliminates a kernel stack disclosure bug in UFS/FFS 2019-05-03 21:54:14 +00:00
ea.c various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
fsck_ffs.8 This update eliminates a kernel stack disclosure bug in UFS/FFS 2019-05-03 21:54:14 +00:00
fsck.h This update eliminates a kernel stack disclosure bug in UFS/FFS 2019-05-03 21:54:14 +00:00
fsutil.c Make fsck(8) use pread(2). This cuts the number of syscalls by half. 2018-12-15 11:36:20 +00:00
gjournal.c In preparation for adding inode check-hashes, clean up and 2018-11-13 21:40:56 +00:00
globs.c This update eliminates a kernel stack disclosure bug in UFS/FFS 2019-05-03 21:54:14 +00:00
inode.c Followup to -r344552 in which fsck_ffs checks for a size past the 2019-04-13 13:31:06 +00:00
main.c This update eliminates a kernel stack disclosure bug in UFS/FFS 2019-05-03 21:54:14 +00:00
Makefile
Makefile.depend DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
pass1.c Followup to -r344552 in which fsck_ffs checks for a size past the 2019-04-13 13:31:06 +00:00
pass1b.c General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
pass2.c In preparation for adding inode check-hashes, change the fsck_ffs 2018-10-31 05:17:53 +00:00
pass3.c General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
pass4.c General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
pass5.c Ensure that cylinder-group check-hashes are properly updated when first 2018-12-05 06:31:50 +00:00
setup.c After a crash, a file that extends into indirect blocks may end up 2019-02-25 21:58:19 +00:00
suj.c Revert r313780 (UFS_ prefix) 2018-03-17 12:59:55 +00:00
utilities.c General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00