Bug 1816142 (CVE-2011-0699) - CVE-2011-0699 kernel: integer signedness error in the btrfs_ioctl_space_info function could lead to a DoS
Summary: CVE-2011-0699 kernel: integer signedness error in the btrfs_ioctl_space_info ...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2011-0699
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1821152
Blocks: 1816143
TreeView+ depends on / blocked
 
Reported: 2020-03-23 12:51 UTC by Marian Rehak
Modified: 2021-11-12 20:06 UTC (History)
45 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the BTRFS implementation in the Linux kernel, where a local user with elevated permissions (either root user or in the disk group) can issue an ioctl to the /dev/btrfs-control device node. This flaw panics the system and allows memory allocation if a specially crafted ioctl is made that abuses the logic when comparing values with different types.
Clone Of:
Environment:
Last Closed: 2020-04-08 22:31:49 UTC
Embargoed:

Attachments (Terms of Use)

Description Marian Rehak 2020-03-23 12:51:46 UTC 
A flaw was found in the BTRFS implementation in the Linux kernel where a local user with elevated permissions (either root user or in the "disk" group) would be able to issue an ioctl to the /dev/btrfs-control device node.  

This could panic the system or allow for memory allocation if a specifically crafted ioctl is made that abuses the logic when comparing values with different types.

External References:

https://marc.info/?l=linux-kernel&m=129726078708425&w=2
Comment 1 Wade Mealing 2020-04-06 06:53:50 UTC 
Bit of public analysis for anyone following along:

The /dev/btrfs-control device node used by btrfs userspace programs to manipulate and query kernel data about btrfs.  Users must have write access to this device file node to be able to issue ioctl commands to the device node.

By default with no btrfs module loaded the /dev/btrfs-control device has these permissions.


$ls /dev/btrfs-control
crw-------. 1 root root 10, 234 Mar 24 09:25 /dev/btrfs-control

When the module is loaded however it changes to 

$ ls -l /dev/btrfs-control 
crw-rw----. 1 root disk 10, 234 Apr  6 15:01 /dev/btrfs-control

Note the change from ownership of the 'root' group to the 'disk' group.  This means that any user with root or in the 'disk' group would be able to issue ioctl commands to btrfs filesystem management code in the kernel.

With a simplistic investigation checked that there were no users in this group by default:

$ getent group |grep disk
disk:x:6:

But after checking on a full install, the amandabackup user was in the disk group.  This means that 'amandabackup' user is effectively able to modify any files on devices that allow write permissions as the 'disk' group.  Unfortunately there are a few.

$ ls -l /dev/ |grep disk
crw-rw----. 1 root     disk     10,   234 Apr  6 15:01 btrfs-control
drwxr-xr-x. 6 root     root           120 Mar 30 10:37 disk
brw-rw----. 1 root     disk    253,     0 Mar 30 10:38 dm-0
brw-rw----. 1 root     disk    253,     1 Mar 30 10:38 dm-1
brw-rw----. 1 root     disk      7,     0 Apr  6 15:01 loop0
crw-rw----. 1 root     disk     10,   237 Apr  6 15:01 loop-control
brw-rw----. 1 root     disk    259,     0 Mar 30 10:38 nvme0n1
brw-rw----. 1 root     disk    259,     1 Mar 30 10:38 nvme0n1p1
brw-rw----. 1 root     disk    259,     2 Mar 30 10:38 nvme0n1p2
brw-rw----. 1 root     disk    259,     3 Mar 30 10:38 nvme0n1p3
brw-rw----. 1 root     disk      8,     0 Mar 30 10:38 sda
crw-rw----. 1 root     disk     21,     0 Mar 30 10:38 sg0

Fortunately, it appears as though the amandabackup user is not maliciously created and won't actively try to destroy the system.  Red Hat Product Security strongly recommends against giving users access to the 'disk' group due to the 'group permission' attack vector being such an easy path to escalation.

So, as this means that this flaw requires 'elevated' non standard permissions, this means that the cvss v3 scoring has to be modified (PR:H), as normal users do not, and should not have the 'disk group' set.

With that aside though, if the user does have the disk group or CAP_SYS_RAWIO, they will able to abuse this flaw.
Comment 3 Wade Mealing 2020-04-06 07:44:41 UTC 
The actual fix for the issue was revised and is here: https://marc.info/?l=linux-btrfs&m=129726826120859&w=2 and ended up being commit 51788b1bdd0d68345bab0af4301e7fa429277228
Comment 5 Wade Mealing 2020-04-06 07:48:40 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1821152]
Comment 7 Wade Mealing 2020-04-06 07:55:20 UTC 
Mitigation:


As the BTRFS module will be auto-loaded when required, its use can be disabled  by preventing the module from loading with the following instructions:

# echo "install btrfs /bin/true" >> /etc/modprobe.d/disable-btrfs.conf

The system will need to be restarted if the BTRFS modules are loaded, it may be possible to unload them. In most circumstances, the BTRFS kernel modules will be unable to be unloaded while any BTRFS filesystems are mounted or in use.

If the system requires this module to work correctly, this mitigation may not be suitable.

If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.
Comment 9 Justin M. Forbes 2020-04-06 13:03:57 UTC 
This flaw was fixed upstream in 2011 and does not impact any currently supported version of Fedora.
Comment 10 Product Security DevOps Team 2020-04-08 22:31:49 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2011-0699
Note You need to log in before you can comment on or make changes to this bug.