Vigil@nce: Linux kernel, file reading on XFS
June 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
On an XFS filesystem, when a file is in write-only mode, a local
attacker can use the SWAPEXT ioctl, in order to read the file.
– Severity: 1/4
– Creation date: 17/06/2010
DESCRIPTION OF THE VULNERABILITY
The Linux kernel supports the XFS (IRIX) filesystem.
The file.f_mode bitfield indicates the mode of a file:
– FMODE_READ : open for reading
– FMODE_WRITE : open for writing
– etc.
The SWAPEXT ioctl calls the xfs_swapext() function of the
fs/xfs/xfs_dfrag.c file, which copies data and extended attributes
of a file to a temporary file. However, this function does not
check if the source file is open in read mode (FMODE_READ) before
copying it in an attacker’s file.
On an XFS filesystem, when a file is in write-only mode, a local
attacker can therefore use the SWAPEXT ioctl, in order to read the
file.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-file-reading-on-XFS-9714