Bug 912341 (CVE-2012-5374)

Summary: CVE-2012-5374 kernel (btrfs): DoS (extended runtime of kernel code) via CRC32C hash collisions
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agordeev, anton, davej, dhoward, fhrbata, gansalmon, iboverma, itamar, jforbes, jneedle, jonathan, jwboyer, kernel-maint, kernel-mgr, lwang, madhu.chinakonda, mcressma, mdshaikh, mrg-program-list, plougher, ppandit, rvrbovsk, sforsber
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-10 04:56:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 912344    

Description Jan Lieskovsky 2013-02-18 13:14:24 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5374 to the following vulnerability:

The CRC32C feature in the Btrfs implementation in the Linux kernel before 3.8-rc1 allows local users to cause a denial of service (extended runtime of kernel code) by creating many different files whose names are associated with the same CRC32C hash value.

[1] http://openwall.com/lists/oss-security/2012/12/13/20
[2] http://crypto.junod.info/2012/12/13/hash-dos-and-btrfs/
[3] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9c52057c698fb96f8f07e7a4bcf4801a092bda89
[4] http://www.kernel.org/pub/linux/kernel/v3.x/testing/patch-3.8-rc1.bz2
[5] https://github.com/torvalds/linux/commit/9c52057c698fb96f8f07e7a4bcf4801a092bda89

This is a kernel non-issue:
[UPDATE OF 17/12/2012] As several readers of this post have noticed, and I would like to warmly thank them for their feedback, the second attack does NOT generate an infinite loop within the btrfs code, but merely within the bash expansion code which is responsible to expand the command line rm *. This can be seen in the above screenshot, as the CPU is burnt in userland, and not in the kernel. Hence, what I thought to be a complexity attack against the btrfs file system is actually a (less glamorous) complexity attack against bash.

 -> http://crypto.junod.info/2012/12/13/hash-dos-and-btrfs/

Comment 2 Doran Moppert 2020-02-11 00:27:57 UTC

Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.