btrfs security issues (information disclosure, insufficient permission checking)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Lucid |
Fix Released
|
High
|
Unassigned |
Bug Description
I have discovered two security issues in btrfs, tested on kernel 2.6.32-22-generic on Lucid. I've confirmed that these issues affect all versions >= 2.6.29. I've reported these issues to <email address hidden>, but am posting it here so there's a record that it affects Ubuntu.
1. The btrfs_ioctl_clone() ioctl, which copies the provided source file descriptor to a destination file descriptor, fails to check that the source file descriptor has been opened for reading before copying. This can allow an attacker to copy (and subsequently read) files without read permission. I've attached a simple reproducer (exploit.c) to verify the issue, which can be tested as follows:
$ dd if=/dev/zero of=fs.iso bs=1M count=500
$ losetup /dev/loop7 fs.iso
$ mkfs.btrfs /dev/loop7
$ mkdir mountpoint
$ mount /dev/loop7 mountpoint
$ cd mountpoint
$ echo "This is a write-only file" > target
$ chmod 200 target
$ ./exploit target output
$ cat output
This is a write-only file
2. btrfs_ioctl_
I've attached a patch that requires CAP_SYS_ADMIN to end transactions and checks read permissions on the source file for the clone ioctl (btrfs.patch).
tags: | added: kj-triage |
tags: | added: patch |
Changed in linux (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: kernel-fs kernel-needs-review |
tags: |
added: kernel-reviewed-kernel-candidate kernel-security removed: kernel-needs-review |
tags: |
added: kernel-candidate kernel-reviewed removed: kernel-reviewed-kernel-candidate |
tags: | removed: kernel-candidate |
Changed in linux (Ubuntu): | |
assignee: | nobody → Stefan Bader (stefan-bader-canonical) |
Made public with commit:
http:// git.kernel. org/?p= linux/kernel/ git/torvalds/ linux-2. 6.git;a= commit; h=5dc6416414fb3 ec6e2825fd4d20c 8bf1d7fe0395
Second item listed was identified as not being a security issue and may not be necessary to "fix".