>Number:         12297
>Category:       kern
>Synopsis:       Seeking beyond the end of a file can recover old file system data
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Feb 27 14:42:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Richard Earnshaw
>Release:        NetBSD current c 2001/02/24 <NetBSD-current source date>
>Organization:
ARM
	
>Environment:
	
System: NetBSD buzzard.buzzard.freeserve.co.uk 1.5S NetBSD 1.5S (BUZZARD) #222: Sat Feb 24 20:01:55 GMT 2001 rearnsha@buzzard.buzzard.freeserve.co.uk:/usr/src/sys/arch/arm32/compile/BUZZARD arm32


>Description:
	Seeking beyond the end of a file that is being written can cause the 
	"holes" to be filled with garbage.  This garbage appears to be data
	from old files.  This could well be a major security hole.
	
>How-To-Repeat:
	build and run the following program on a local (ufs) file system.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

main()
{
  char buf[4096];
  FILE *f;
  int i, offset;
  int j=1;

  f = fopen("seek-test", "w");

  offset = 0;
  i = 4096;

  while (offset < 4096 * 1024)
    {
      i -= random() & 0xf;
      if (i < 0)
	i = 4095;
      memset(buf, 0, 4096);
      memset(buf + i, 1, 4096 - i);
      /*      buf[0] = j++; */
      fseek(f, offset, SEEK_SET);
      fwrite(buf, 1, i, f);
      offset += i + (random() & 0xf);
    }

  fclose(f);
  exit(0);
}

	
>Fix:
	Unknown
	
>Release-Note:
>Audit-Trail:
>Unformatted: