oss-sec mailing list archives
Linux kernel: fs/btrfs: null-ptr-dereference bug in btrfs_rm_device in fs/btrfs/volumes.c
From: butt3rflyh4ck <butterflyhuangxx () gmail com>
Date: Wed, 25 Aug 2021 10:49:04 +0800
Hello, there is a null pointer dereference bug in the btrfs_rm_device function in fs/btrfs/volumes.c in linux-5.14.0-rc4+ and reproduce too. Fortunately, triggering the bug requires ‘CAP_SYS_ADMIN’. #Root Cause When a user invokes a BTRFS_IOC_RM_DEV_V2 ioctl to remove a non-exist volume device, it would call btrfs_ioctl_rm_dev_v2 function to implement. And btrfs_ioctl_rm_dev_v2 would call btrfs_rm_device, if the id of the volume device is illegal, it would trigger a null-ptr-deref bug to cause DoS. # Analyse https://lore.kernel.org/linux-btrfs/CAFcO6XO5TC5sEo-C9JGC75JkNAzkOSSLA3a=bwQqXFFbRTZ7Gw () mail gmail com/T/#md4b850f33616b7364f86e6fed144abc925f3669c #Fix the patch for this issue, not available upstream now. https://lore.kernel.org/linux-btrfs/20210806102415.304717-1-wqu () suse com/T/#u #Timeline *2021/8/6 - Vulnerability reported to maintainer and CC to linux-btrfs () vger kernel org. *2021/8/6 - Vulnerability confirmed and patched. *2021/8/10 - Vulnerability reported to secalert () redhat com. *2021/8/25 - Opened on oss-security () lists openwall com. #Credit the issue is reported by Active Defense Lab of Venustech. Regards, butt3rflyh4ck. -- Active Defense Lab of Venustech
Current thread:
- Linux kernel: fs/btrfs: null-ptr-dereference bug in btrfs_rm_device in fs/btrfs/volumes.c butt3rflyh4ck (Aug 25)