Red Hat Bugzilla – Bug 593226
CVE-2010-1636 kernel: btrfs: check for read permission on src file in the clone ioctl
Last modified: 2012-03-28 04:46:30 EDT
Description of problem:
The existing [btrfs] code would have allowed you to clone a file that was only open for writing. Not an expected behaviour.
The kernel in Red Hat Enterprise Linux 6 has support for Btrfs by default.
Red Hat would like to thank Dan Rosenberg for responsibly reporting this issue.
Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not include support for Btrfs, a new copy on write filesystem.
Created attachment 414994 [details]
The steps to reproduce the issue and exploit.c were made publicly available in: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/579585
$ dd if=/dev/zero of=fs.iso bs=1M count=500
$ losetup /dev/loop7 fs.iso
$ mkfs.btrfs /dev/loop7
$ mkdir mountpoint
$ mount /dev/loop7 mountpoint
$ cd mountpoint
$ echo "This is a write-only file" > target
$ chmod 200 target
$ ./exploit target output
$ cat output
This is a write-only file
kernel-220.127.116.11-112.fc13 has been submitted as an update for Fedora 13.
kernel-18.104.22.168-127.fc12 has been submitted as an update for Fedora 12.
kernel-22.214.171.124-112.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
kernel-126.96.36.199-127.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.