*** This bug is a security vulnerability *** Public security bug reported:
This bug applies to 2.6.32 mainstream kernel. Kernel bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=15925 I'm adding this bug here because I tested with Ubuntu 10.04 so I know it also affects it. I'm checking the "security vulnerability" box because it can result in leaked file contents from removed files, but I'm no security expert so I may be wrong. The text on that bugzilla entry follows: -------------------------------- There is a bad regression of the CIFS driver on 2.6.32 kernels (tested 2.6.32.11, 2.6.32.12 and Ubuntu 10.04 LTS 2.6.32-22-generic). The version of the server doesn't seem to matter (tested 2.6.27, 2.6.32 and Ubuntu 8.04 LTS 2.6.24-27-generic), as long as the client is 2.6.32-something. Empty files created on the server become non-empty (with the contents of some earlier written file) when read by the client. This happens when using lockf() and without using it. The following bash script shows the problem: -----------< test-cifs.sh >------------------------ #!/bin/bash while [ 1 ]; do rnd=$(( $RANDOM % 2 + 1 )) if [ -f $rnd ]; then v=$( cat $rnd ) if [ -n "$v" -a "$v" != "$rnd" ]; then echo "ERROR!!! rnd=$rnd val=$v" exit -1 fi rm -f $rnd else touch $rnd echo $rnd > $rnd fi done -----------< test-cifs.sh >------------------------ When this script runs both on the server and on the client on the same shared directory, after a few seconds (sometimes almost right away), the client will exit with the error. In a nutshell, the script creates a random (1 or 2) empty file if it doesn't exist, else makes sure it's content are either empty or the same as the file name. After the check removes the file. The script running on the server will never fail, as expected, but the client will sometimes see the file with the wrong contents. This only occurs when the client is running 2.6.32 (.11-12 or the Ubuntu 10.04 one). Any other kernel version I tested will work as expected. A workaround we found for this problem is to never delete the file, just truncate it's size to zero. In this way the problem doesn't show. Replacing the 'rm -f $rnd' with 'echo -n "" > $rnd', is the script equivalent of this workaround. I haven't tested 2.6.33 yet because we will have to work with 2.6.32 for the time being, so it's not a solution for me. I'm available for any further information. ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public -- Empty file creation corruption on CIFS filesystem https://bugs.launchpad.net/bugs/577031 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
