I have discovered two security issues in btrfs, tested on kernel 2.6.32-22-generic on Lucid. I've confirmed that these issues affect all versions >= 2.6.29. I've reported these issues to <email address hidden>, but am posting it here so there's a record that it affects Ubuntu.
1. The btrfs_ioctl_clone() ioctl, which copies the provided source file descriptor to a destination file descriptor, fails to check that the source file descriptor has been opened for reading before copying. This can allow an attacker to copy (and subsequently read) files without read permission. I've attached a simple reproducer (exploit.c) to verify the issue, which can be tested as follows:
$ dd if=/dev/zero of=fs.iso bs=1M count=500
$ losetup /dev/loop7 fs.iso
$ mkfs.btrfs /dev/loop7
$ mkdir mountpoint
$ mount /dev/loop7 mountpoint
$ cd mountpoint
$ echo "This is a write-only file" > target
$ chmod 200 target
$ ./exploit target output
$ cat output
This is a write-only file
2. btrfs_ioctl_trans_start() requires CAP_SYS_ADMIN to start a transaction, but btrfs_ioctl_trans_end() does not, allowing unprivileged users to end other users' transactions. While the security implications of this are a bit unclear, it seems unwise especially given the warnings about how transactions should only be started and ended by privileged processes, given the chance of deadlock.
I've attached a patch that requires CAP_SYS_ADMIN to end transactions and checks read permissions on the source file for the clone ioctl (btrfs.patch).
Made public with commit:
http://
Second item listed was identified as not being a security issue and may not be necessary to "fix".