[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Linux kernel: fs/btrfs: null-ptr-dereference bug in btrfs_rm_device in fs/btrfs/v
From: butt3rflyh4ck <butterflyhuangxx () gmail ! com>
Date: 2021-08-26 9:36:02
Message-ID: CAFcO6XNHPFyFvFUJhPVQ+YHLZw=fnxGoig+ZjWjv7rXZcxmX2g () mail ! gmail ! com
[Download RAW message or body]
Hi, RedHat has assigned CVE-2021-3739 to this issue.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3739.
Please track the below link for more information.
https://bugzilla.redhat.com/show_bug.cgi?id=1997958
Regards,
butt3rflyh4ck.
On Wed, Aug 25, 2021 at 10:49 AM butt3rflyh4ck
<butterflyhuangxx@gmail.com> wrote:
>
> Hello, there is a null pointer dereference bug in the btrfs_rm_device
> function in fs/btrfs/volumes.c in linux-5.14.0-rc4+ and reproduce too.
> Fortunately, triggering the bug requires ‘CAP_SYS_ADMIN'.
>
> #Root Cause
> When a user invokes a BTRFS_IOC_RM_DEV_V2 ioctl to remove a non-exist
> volume device,
> it would call btrfs_ioctl_rm_dev_v2 function to implement. And
> btrfs_ioctl_rm_dev_v2 would call btrfs_rm_device,
> if the id of the volume device is illegal, it would trigger a
> null-ptr-deref bug to cause DoS.
>
> # Analyse
> https://lore.kernel.org/linux-btrfs/CAFcO6XO5TC5sEo-C9JGC75JkNAzkOSSLA3a=bwQqXFFbRTZ7Gw@mail.gmail.com/T/#md4b850f33616b7364f86e6fed144abc925f3669c
>
> #Fix
> the patch for this issue, not available upstream now.
> https://lore.kernel.org/linux-btrfs/20210806102415.304717-1-wqu@suse.com/T/#u
>
>
> #Timeline
> *2021/8/6 - Vulnerability reported to maintainer and CC to
> linux-btrfs@vger.kernel.org.
> *2021/8/6 - Vulnerability confirmed and patched.
> *2021/8/10 - Vulnerability reported to secalert@redhat.com.
> *2021/8/25 - Opened on oss-security@lists.openwall.com.
>
> #Credit
> the issue is reported by Active Defense Lab of Venustech.
>
> Regards,
> butt3rflyh4ck.
> --
> Active Defense Lab of Venustech
--
Active Defense Lab of Venustech
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic