btrfs security issues (information disclosure, insufficient permission checking)

Bug #579585 reported by Dan Rosenberg on 2010-05-12
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Unassigned
Lucid
High
Unassigned

Bug Description

I have discovered two security issues in btrfs, tested on kernel 2.6.32-22-generic on Lucid. I've confirmed that these issues affect all versions >= 2.6.29. I've reported these issues to <email address hidden>, but am posting it here so there's a record that it affects Ubuntu.

1. The btrfs_ioctl_clone() ioctl, which copies the provided source file descriptor to a destination file descriptor, fails to check that the source file descriptor has been opened for reading before copying. This can allow an attacker to copy (and subsequently read) files without read permission. I've attached a simple reproducer (exploit.c) to verify the issue, which can be tested as follows:

$ dd if=/dev/zero of=fs.iso bs=1M count=500
$ losetup /dev/loop7 fs.iso
$ mkfs.btrfs /dev/loop7
$ mkdir mountpoint
$ mount /dev/loop7 mountpoint
$ cd mountpoint
$ echo "This is a write-only file" > target
$ chmod 200 target
$ ./exploit target output
$ cat output
This is a write-only file

2. btrfs_ioctl_trans_start() requires CAP_SYS_ADMIN to start a transaction, but btrfs_ioctl_trans_end() does not, allowing unprivileged users to end other users' transactions. While the security implications of this are a bit unclear, it seems unwise especially given the warnings about how transactions should only be started and ended by privileged processes, given the chance of deadlock.

I've attached a patch that requires CAP_SYS_ADMIN to end transactions and checks read permissions on the source file for the clone ioctl (btrfs.patch).

Dan Rosenberg (dan-j-rosenberg) wrote :

Made public with commit:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=5dc6416414fb3ec6e2825fd4d20c8bf1d7fe0395

Second item listed was identified as not being a security issue and may not be necessary to "fix".

visibility: private → public
tags: added: kj-triage
tags: added: patch
Changed in linux (Ubuntu):
status: New → Triaged
importance: Undecided → High
tags: added: kernel-fs kernel-needs-review
Andy Whitcroft (apw) on 2010-05-26
tags: added: kernel-reviewed-kernel-candidate kernel-security
removed: kernel-needs-review
Andy Whitcroft (apw) on 2010-05-26
tags: added: kernel-candidate kernel-reviewed
removed: kernel-reviewed-kernel-candidate
Andy Whitcroft (apw) on 2010-06-07
tags: removed: kernel-candidate
Stefan Bader (smb) on 2010-07-14
Changed in linux (Ubuntu):
assignee: nobody → Stefan Bader (stefan-bader-canonical)
Stefan Bader (smb) wrote :

This fix is included in Maverick.

Changed in linux (Ubuntu):
assignee: Stefan Bader (stefan-bader-canonical) → nobody
status: Triaged → Fix Released
Stefan Bader (smb) wrote :

The fix mentioned was actually released in Lucid with 2.6.32-23.37 as part of an upstream stable update. Sorry for missing the relation to this bug report.

Changed in linux (Ubuntu Lucid):
importance: Undecided → High
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers