Bug#303500: CAN-2005-0400: EXT2 File System Information Leak Vulnerability
Package: kernel-source-2.6.8
Version: 2.6.8-15
Severity: normal
Information leak in ext2 code. Quoting from USN-103-1:
>Mathieu Lafon discovered an information leak in the ext2 file system
>driver. When a new directory was created, the ext2 block written to
>disk was not initialized, so that previous memory contents (which
>could contain sensitive data like passwords) became visible on the raw
>device. This is particularly important if the target device is
>removable and thus can be read by users other than root.
The patch 2.6.11.6 that deals with this is:
--- a/fs/ext2/dir.c 2005-03-25 19:28:57 -08:00
+++ b/fs/ext2/dir.c 2005-03-25 19:28:57 -08:00
@@ -592,6 +592,7 @@
goto fail;
}
kaddr = kmap_atomic(page, KM_USER0);
+ memset(kaddr, 0, chunk_size);
de = (struct ext2_dir_entry_2 *)kaddr;
de->name_len = 1;
de->rec_len = cpu_to_le16(EXT2_DIR_REC_LEN(1));
Reply to: