Re: kernel: btrfs: check for read permission on src file in the clone ioctl

[Dan Rosenberg <dan.j.rosenberg () gmail com>]

Ubuntu 10.4 ships with a kernel that supports btrfs:

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/579585

In case the bug description needs clarification, the bug allows an
unprivileged user to clone files that can be opened for writing
without read permissions.  Since cloning results in the creation of a
duplicate copy owned by the user who performed the cloning operation,
this is an information disclosure vulnerability.

-Dan

On Tue, May 18, 2010 at 5:13 AM, Eugene Teo <eugene () redhat com> wrote:
> The existing [btrfs] code would have allowed you to clone a file that was
> only open for writing. Not an expected behaviour.
>
> Upstream commit:
> http://git.kernel.org/linus/5dc6416414fb3ec6e2825fd4d20c8bf1d7fe0395
>
> Reference:
> https://bugzilla.redhat.com/show_bug.cgi?id=593226
>
> I'm not requesting a CVE name for this as it did not affect any of Red Hats'
> supported Linux kernels.
>
> Thanks, Eugene
> --
> main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }