'Re: [oss-security] Linux kernel: fs/btrfs: null-ptr-dereference bug in btrfs_rm_device in fs/btrfs/v'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Linux kernel: fs/btrfs: null-ptr-dereference bug in btrfs_rm_device in fs/btrfs/v
From:       butt3rflyh4ck <butterflyhuangxx () gmail ! com>
Date:       2021-08-26 9:36:02
Message-ID: CAFcO6XNHPFyFvFUJhPVQ+YHLZw=fnxGoig+ZjWjv7rXZcxmX2g () mail ! gmail ! com
[Download RAW message or body]

Hi, RedHat has assigned  CVE-2021-3739   to this issue.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3739.

Please track the below link for more information.
https://bugzilla.redhat.com/show_bug.cgi?id=1997958

Regards,
  butt3rflyh4ck.



On Wed, Aug 25, 2021 at 10:49 AM butt3rflyh4ck
<butterflyhuangxx@gmail.com> wrote:
> 
> Hello, there is a null pointer dereference bug in the btrfs_rm_device
> function in fs/btrfs/volumes.c in linux-5.14.0-rc4+ and reproduce too.
> Fortunately, triggering the bug requires ‘CAP_SYS_ADMIN'.
> 
> #Root Cause
> When a user invokes a BTRFS_IOC_RM_DEV_V2 ioctl to remove a non-exist
> volume device,
> it would call btrfs_ioctl_rm_dev_v2 function to implement. And
> btrfs_ioctl_rm_dev_v2 would call btrfs_rm_device,
> if the id of the volume device is illegal, it would trigger a
> null-ptr-deref bug to cause DoS.
> 
> # Analyse
> https://lore.kernel.org/linux-btrfs/CAFcO6XO5TC5sEo-C9JGC75JkNAzkOSSLA3a=bwQqXFFbRTZ7Gw@mail.gmail.com/T/#md4b850f33616b7364f86e6fed144abc925f3669c
>  
> #Fix
> the patch for this issue, not available upstream now.
> https://lore.kernel.org/linux-btrfs/20210806102415.304717-1-wqu@suse.com/T/#u
> 
> 
> #Timeline
> *2021/8/6 - Vulnerability reported to maintainer and CC to
> linux-btrfs@vger.kernel.org.
> *2021/8/6 - Vulnerability confirmed and patched.
> *2021/8/10 - Vulnerability reported to secalert@redhat.com.
> *2021/8/25 - Opened on oss-security@lists.openwall.com.
> 
> #Credit
> the issue is reported by Active Defense Lab of Venustech.
> 
> Regards,
> butt3rflyh4ck.
> --
> Active Defense Lab of Venustech



--
Active Defense Lab of Venustech


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic