Bug 593226 (CVE-2010-1636)

Summary: CVE-2010-1636 kernel: btrfs: check for read permission on src file in the clone ioctl
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: arozansk, davej, eguan, kmcmartin, lwang, pmatouse, tcallawa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 08:46:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 593227    
Bug Blocks:    
Attachments:
Description Flags
exploit.c none

Description Eugene Teo (Security Response) 2010-05-18 09:02:16 UTC
Description of problem:
The existing [btrfs] code would have allowed you to clone a file that was only open for writing. Not an expected behaviour.

Upstream commit:
http://git.kernel.org/linus/5dc6416414fb3ec6e2825fd4d20c8bf1d7fe0395

Reference:
https://btrfs.wiki.kernel.org/index.php/Main_Page

The kernel in Red Hat Enterprise Linux 6 has support for Btrfs by default.

Acknowledgements:

Red Hat would like to thank Dan Rosenberg for responsibly reporting this issue.

Comment 2 Eugene Teo (Security Response) 2010-05-18 09:11:09 UTC
Statement:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not include support for Btrfs, a new copy on write filesystem.

Comment 3 Eugene Teo (Security Response) 2010-05-19 01:16:07 UTC
Created attachment 414994 [details]
exploit.c

The steps to reproduce the issue and exploit.c were made publicly available in: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/579585

$ dd if=/dev/zero of=fs.iso bs=1M count=500
$ losetup /dev/loop7 fs.iso
$ mkfs.btrfs /dev/loop7
$ mkdir mountpoint
$ mount /dev/loop7 mountpoint
$ cd mountpoint
$ echo "This is a write-only file" > target
$ chmod 200 target
$ ./exploit target output
$ cat output
This is a write-only file

Comment 4 Fedora Update System 2010-05-27 21:25:14 UTC
kernel-2.6.33.5-112.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/kernel-2.6.33.5-112.fc13

Comment 5 Fedora Update System 2010-05-28 06:59:28 UTC
kernel-2.6.32.14-127.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/kernel-2.6.32.14-127.fc12

Comment 6 Fedora Update System 2010-05-31 18:30:23 UTC
kernel-2.6.33.5-112.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2010-06-14 17:13:40 UTC
kernel-2.6.32.14-127.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.