Red Hat Bugzilla – Bug 616998
CVE-2010-2537 CVE-2010-2538 kernel: btrfs: fix checks in BTRFS_IOC_CLONE_RANGE
Last modified: 2015-08-31 23:55:32 EDT
Description of problem:
1. CVE-2010-2537 - The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls should check whether the donor file is append-only before writing to it.
2. CVE-2010-2538 - The BTRFS_IOC_CLONE_RANGE ioctl appears to have an integer
overflow that allows a user to specify an out-of-bounds range to copy from the source file (if off + len wraps around).
The kernel in Red Hat Enterprise Linux 6 has support for Btrfs by default.
Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not include support for Btrfs, a new copy on write filesystem.
Red Hat would like to thank Dan Rosenberg for responsibly reporting this issue.
*** Bug 616992 has been marked as a duplicate of this bug. ***
Fixed upstream in 2.6.35, 18.104.22.168, 22.214.171.124 and 126.96.36.199