Date: Mon, 27 Aug 2001 02:21:18 -0700 (PDT) From: Scott Renfro <scott@renfro.org> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/30120: [PATCH] Serious bug in security/cfs (data loss) Message-ID: <200108270921.f7R9LIR59447@renfro.org>
next in thread | raw e-mail | index | archive | help
>Number: 30120
>Category: ports
>Synopsis: [PATCH] Serious bug in security/cfs (data loss)
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Aug 27 02:30:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Scott Renfro
>Release: FreeBSD 4.3-STABLE i386
>Organization:
n/a
>Environment:
System: FreeBSD renfro.org 4.3-STABLE FreeBSD 4.3-STABLE #1: Sun Aug 5 13:27:32 PDT 2001 scott@renfro.org:/usr/src/sys/compile/FWGW4 i386
>Description:
Martin Forssen <maf@tkrat.org> and I have each independently found a
serious bug that leads to data loss in Matt Blaze's otherwise excellent
crypto-filesystem. This affects all recent versions of cfs that I
checked, including cfs-1.4.1, the current release.
When appending to the file with a write that is less than the cfs
blocksize (8 characters), if the resulting filesize is a multiple of the
cfs blocksize, the write is, in effect, thrown away. This results from
the padding scheme in place where a file under these conditions must be
truncated by the cfs blocksize (no padding is required when the data
falls on a boundary).
The fix is pretty simple and a patch is supplied below. I suspect that
this will be included in cfs at some point (it has already gone to
cfs-users, but with no response as yet), but it would be useful to have
the patch included in the ports tree until that time occurs to reduce
the chance of people losing data.
>How-To-Repeat:
Create a 7 byte file (echo "123456" > t.txt) on a cfs filesystem.
Append one byte to the file (echo "" > t.txt). The resulting file is
still just 7 bytes long.E
For me this shows up quite regularly when procmail writes new mail into
my mbox files -- the leading 'F' in the "^From " header is dropped; yes,
this means that messages 'disappear' and/or are merged into other
messages -- yech.
>Fix:
Add this patch from Martin as patch-ag (or whatever the next available
patch file name is).
--- cfs_fh.c.orig Mon Aug 27 01:47:52 2001
+++ cfs_fh.c Mon Aug 27 01:48:41 2001
@@ -177,6 +177,13 @@
perror("write");
return -1;
}
+ /* due to the way the file is padded we may actually have to
+ truncate it here. This happens when the write is at the end of
+ the file, is shorter than CFSBLOCK and brings the file to a length
+ which is evenly dividable by CFSBLOCK */
+ if (offset+len > dtov(sb.st_size) && vtod(offset+len) < sb.st_size) {
+ ftruncate(fd, vtod(offset+len));
+ }
/* iolen may contain CFSBLOCK extra chars */
return(dtov(iolen)-fronterr);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108270921.f7R9LIR59447>