[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [oss-security] Linux kernel: fs/btrfs: null-ptr-dereference bug in btrfs_rm_device in fs/btrfs/volumes.c
The patch for this issue is available upstream.
On Thu, Aug 26, 2021 at 5:36 PM butt3rflyh4ck
<butterflyhuangxx AT gmail.com> wrote:
> Hi, RedHat has assigned CVE-2021-3739 to this issue.
> Please track the below link for more information.
> On Wed, Aug 25, 2021 at 10:49 AM butt3rflyh4ck
> <butterflyhuangxx AT gmail.com> wrote:
> > Hello, there is a null pointer dereference bug in the btrfs_rm_device
> > function in fs/btrfs/volumes.c in linux-5.14.0-rc4+ and reproduce too.
> > Fortunately, triggering the bug requires ‘CAP_SYS_ADMIN’.
> > #Root Cause
> > When a user invokes a BTRFS_IOC_RM_DEV_V2 ioctl to remove a non-exist
> > volume device,
> > it would call btrfs_ioctl_rm_dev_v2 function to implement. And
> > btrfs_ioctl_rm_dev_v2 would call btrfs_rm_device,
> > if the id of the volume device is illegal, it would trigger a
> > null-ptr-deref bug to cause DoS.
> > # Analyse
> > https://lore.kernel.org/linux-btrfs/CAFcO6XO5TC5sEo-C9JGC75JkNAzkOSSLA3a=bwQqXFFbRTZ7Gw AT mail.gmail.com/T/#md4b850f33616b7364f86e6fed144abc925f3669c
> > #Fix
> > the patch for this issue, not available upstream now.
> > https://lore.kernel.org/linux-btrfs/20210806102415.304717-1-wqu AT suse.com/T/#u
> > #Timeline
> > *2021/8/6 - Vulnerability reported to maintainer and CC to
> > linux-btrfs AT vger.kernel.org.
> > *2021/8/6 - Vulnerability confirmed and patched.
> > *2021/8/10 - Vulnerability reported to secalert AT redhat.com.
> > *2021/8/25 - Opened on oss-security AT lists.openwall.com.
> > #Credit
> > the issue is reported by Active Defense Lab of Venustech.
> > Regards,
> > butt3rflyh4ck.
> > --
> > Active Defense Lab of Venustech
> Active Defense Lab of Venustech
Active Defense Lab of Venustech