[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [oss-security] Linux kernel: fs/btrfs: null-ptr-dereference bug in btrfs_rm_device in fs/btrfs/volumes.c



The patch for this issue is available upstream.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091


Regards,
 butt3rflyh4ck.

On Thu, Aug 26, 2021 at 5:36 PM butt3rflyh4ck
<butterflyhuangxx AT gmail.com> wrote:
>
> Hi, RedHat has assigned  CVE-2021-3739   to this issue.
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3739.
>
> Please track the below link for more information.
> https://bugzilla.redhat.com/show_bug.cgi?id=1997958
>
> Regards,
>   butt3rflyh4ck.
>
>
>
> On Wed, Aug 25, 2021 at 10:49 AM butt3rflyh4ck
> <butterflyhuangxx AT gmail.com> wrote:
> >
> > Hello, there is a null pointer dereference bug in the btrfs_rm_device
> > function in fs/btrfs/volumes.c in linux-5.14.0-rc4+ and reproduce too.
> > Fortunately, triggering the bug requires ‘CAP_SYS_ADMIN’.
> >
> > #Root Cause
> > When a user invokes a BTRFS_IOC_RM_DEV_V2 ioctl to remove a non-exist
> > volume device,
> > it would call btrfs_ioctl_rm_dev_v2 function to implement. And
> > btrfs_ioctl_rm_dev_v2 would call btrfs_rm_device,
> > if the id of the volume device is illegal, it would trigger a
> > null-ptr-deref bug to cause DoS.
> >
> > # Analyse
> > https://lore.kernel.org/linux-btrfs/CAFcO6XO5TC5sEo-C9JGC75JkNAzkOSSLA3a=bwQqXFFbRTZ7Gw AT mail.gmail.com/T/#md4b850f33616b7364f86e6fed144abc925f3669c
> >
> > #Fix
> > the patch for this issue, not available upstream now.
> > https://lore.kernel.org/linux-btrfs/20210806102415.304717-1-wqu AT suse.com/T/#u
> >
> >
> > #Timeline
> > *2021/8/6 - Vulnerability reported to maintainer and CC to
> > linux-btrfs AT vger.kernel.org.
> > *2021/8/6 - Vulnerability confirmed and patched.
> > *2021/8/10 - Vulnerability reported to secalert AT redhat.com.
> > *2021/8/25 - Opened on oss-security AT lists.openwall.com.
> >
> > #Credit
> > the issue is reported by Active Defense Lab of Venustech.
> >
> > Regards,
> >  butt3rflyh4ck.
> > --
> > Active Defense Lab of Venustech
>
>
>
> --
> Active Defense Lab of Venustech



-- 
Active Defense Lab of Venustech