oss-sec mailing list archives
Re: Linux kernel: fs/btrfs: null-ptr-dereference bug in btrfs_rm_device in fs/btrfs/volumes.c
From: butt3rflyh4ck <butterflyhuangxx () gmail com>
Date: Wed, 1 Sep 2021 14:38:33 +0800
The patch for this issue is available upstream. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091 Regards, butt3rflyh4ck. On Thu, Aug 26, 2021 at 5:36 PM butt3rflyh4ck <butterflyhuangxx () gmail com> wrote:
Hi, RedHat has assigned CVE-2021-3739 to this issue. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3739. Please track the below link for more information. https://bugzilla.redhat.com/show_bug.cgi?id=1997958 Regards, butt3rflyh4ck. On Wed, Aug 25, 2021 at 10:49 AM butt3rflyh4ck <butterflyhuangxx () gmail com> wrote:Hello, there is a null pointer dereference bug in the btrfs_rm_device function in fs/btrfs/volumes.c in linux-5.14.0-rc4+ and reproduce too. Fortunately, triggering the bug requires ‘CAP_SYS_ADMIN’. #Root Cause When a user invokes a BTRFS_IOC_RM_DEV_V2 ioctl to remove a non-exist volume device, it would call btrfs_ioctl_rm_dev_v2 function to implement. And btrfs_ioctl_rm_dev_v2 would call btrfs_rm_device, if the id of the volume device is illegal, it would trigger a null-ptr-deref bug to cause DoS. # Analyse https://lore.kernel.org/linux-btrfs/CAFcO6XO5TC5sEo-C9JGC75JkNAzkOSSLA3a=bwQqXFFbRTZ7Gw () mail gmail com/T/#md4b850f33616b7364f86e6fed144abc925f3669c #Fix the patch for this issue, not available upstream now. https://lore.kernel.org/linux-btrfs/20210806102415.304717-1-wqu () suse com/T/#u #Timeline *2021/8/6 - Vulnerability reported to maintainer and CC to linux-btrfs () vger kernel org. *2021/8/6 - Vulnerability confirmed and patched. *2021/8/10 - Vulnerability reported to secalert () redhat com. *2021/8/25 - Opened on oss-security () lists openwall com. #Credit the issue is reported by Active Defense Lab of Venustech. Regards, butt3rflyh4ck. -- Active Defense Lab of Venustech-- Active Defense Lab of Venustech
-- Active Defense Lab of Venustech
Current thread:
- Linux kernel: fs/btrfs: null-ptr-dereference bug in btrfs_rm_device in fs/btrfs/volumes.c butt3rflyh4ck (Aug 25)
- Re: Linux kernel: fs/btrfs: null-ptr-dereference bug in btrfs_rm_device in fs/btrfs/volumes.c butt3rflyh4ck (Aug 26)
- Re: Linux kernel: fs/btrfs: null-ptr-dereference bug in btrfs_rm_device in fs/btrfs/volumes.c butt3rflyh4ck (Sep 01)
- Re: Linux kernel: fs/btrfs: null-ptr-dereference bug in btrfs_rm_device in fs/btrfs/volumes.c butt3rflyh4ck (Aug 26)