[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#641419: linux-image-2.6.32-5-amd64: sendfile(2) behaves incorrectly in 2.6.32-5-amd64, overwriting written data

Package: linux-2.6
Version: 2.6.32-35squeeze2
Severity: important


In the squeeze standard 64 bit kernel (with either 64 or 32 bit
userspace) sendfile(2) is overwriting data already written to the file
descriptor by write(2).  Here's a minimal test case:

-----------------------------------------------------------------------------

echo there >turtle.jpeg

cat <<EOF >sendfiletest.c
#include <unistd.h>
#include <fcntl.h>

int main()
{
    int fd1=open("turtle.jpeg", O_RDONLY);
    int fd2=open("test6.pdf", O_RDWR|O_CREAT|O_TRUNC, 0644);
    
    write(fd2, "hello", 5);
    sendfile(fd2,fd1, NULL, 100000);
}
EOF

gcc sendfiletest.c -o sendfiletest
./sendfiletest
cat test6.pdf

On squeeze's 2.6.32-5-amd64 kernel the file will contain "there".  On
lenny, it will contain "hellothere".  On later (backported or
handbuilt) kernels, the behaviour returns to "hellothere".

This isn't just a nasty bug, but I'm concerned it might be exploitable.

It certainly causes our pdf generation library to go horrible wrong :)

If there's anything else I can do to be of assistance, please do let
me know.

To be explicit, the server I sent this mail from is _not_ vulnerable
because it's running a backport kernel.  This bug report refers to the
squeeze standard kernel, not the one I'm running here.

-- Package-specific info:
** Kernel log: boot messages should be attached


-- System Information:
Debian Release: 6.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.39-bpo.2-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages linux-image-2.6.32-5-amd64 depends on:
ii  debconf [debconf-2.0]       1.5.36.1     Debian configuration management sy
ii  initramfs-tools [linux-init 0.99~bpo60+1 tools for generating an initramfs
ii  linux-base                  3.3~bpo60+1  Linux image base package
ii  module-init-tools           3.12-1       tools for managing Linux kernel mo

Versions of packages linux-image-2.6.32-5-amd64 recommends:
ii  firmware-linux-free    2.6.32-35squeeze2 Binary firmware for various driver
ii  libc6-i686             2.11.2-10         Embedded GNU C Library: Shared lib

Versions of packages linux-image-2.6.32-5-amd64 suggests:
ii  lilo                          1:22.8-10  LInux LOader - The Classic OS load
pn  linux-doc-2.6.32              <none>     (no description available)

Versions of packages linux-image-2.6.32-5-amd64 is related to:
ii  firmware-bnx2                 0.33       Binary firmware for Broadcom NetXt
ii  firmware-bnx2x                0.33       Binary firmware for Broadcom NetXt
pn  firmware-ipw2x00              <none>     (no description available)
pn  firmware-ivtv                 <none>     (no description available)
pn  firmware-iwlwifi              <none>     (no description available)
pn  firmware-linux                <none>     (no description available)
pn  firmware-linux-nonfree        <none>     (no description available)
pn  firmware-qlogic               <none>     (no description available)
pn  firmware-ralink               <none>     (no description available)
pn  xen-hypervisor                <none>     (no description available)

-- debconf-show failed
Reply to: