Bug 1610088 (CVE-2018-14612) - CVE-2018-14612 kernel: Invalid pointer dereference in btrfs_root_node() when mounting a crafted btrfs image
Summary: CVE-2018-14612 kernel: Invalid pointer dereference in btrfs_root_node() when ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-14612
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1610089 1610090 1612834 1612835
Blocks: 1610091
TreeView+ depends on / blocked
 
Reported: 2018-07-31 01:35 UTC by Sam Fowler
Modified: 2021-10-25 09:50 UTC (History)
44 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An issue was discovered in the btrfs filesystem code in the Linux kernel. An invalid NULL pointer dereference in btrfs_root_node() when mounting a crafted btrfs image is due to a lack of chunk block group mapping validation in btrfs_read_block_groups() in the fs/btrfs/extent-tree.c function and a lack of empty-tree checks in check_leaf() in fs/btrfs/tree-checker.c function. This could lead to a system crash and a denial of service.
Clone Of:
Environment:
Last Closed: 2021-10-25 09:50:22 UTC
Embargoed:

Attachments (Terms of Use)

Description Sam Fowler 2018-07-31 01:35:43 UTC 
An issue was discovered in the btrfs filesystem code in the Linux kernel. There is an invalid NULL pointer dereference in btrfs_root_node() when mounting a crafted btrfs image, because of a lack of chunk block group mapping validation in btrfs_read_block_groups() in fs/btrfs/extent-tree.c, and a lack of empty-tree checks in check_leaf() in fs/btrfs/tree-checker.c, leading to a system crash and a denial of service.

References:

https://bugzilla.kernel.org/show_bug.cgi?id=199847

Suggested upstream patches:

https://patchwork.kernel.org/patch/10503403/

https://patchwork.kernel.org/patch/10503413/
Comment 1 Sam Fowler 2018-07-31 01:36:44 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1610089]
Comment 6 Vladis Dronov 2018-08-06 11:55:08 UTC 
Notes:

While the flaw reproducer works when run as a privileged user (the "root"), this requires a mount of a certain filesystem image. An unprivileged attacker cannot do this even from a user+mount namespace:

$ unshare -U -r -m
# mount -t btrfs fs.img mnt/
mount: mnt/: mount failed: Operation not permitted.

The article https://lwn.net/Articles/652468/ discusses unprivileged user mounts and hostile filesystem images:
 
> ... for the most part, the mount() system call is denied to processes running
> within user namespaces, even if they are privileged in their namespaces.

It also states that unprivileged filesystem mounts are not allowed as of now in the Linux kernel and probably won't be allowed in a future. Until that such flaws are considered as not exploitable:

> There were no proposals for solutions to the hostile-filesystem problem.
> But, in the absence of some sort of assurance that they can be made safe,
> unprivileged filesystem mounts are unlikely to gain acceptance; even if the
> feature gets into the kernel, distributions would be likely to disable it.

On the other hand, there is a potential possibility that still an attacker can trick a regular user to mount a malicious filesystem image, like trick him to insert an usb-flash-drive with a forged filesystem to a desktop system which will auto-mount it. In case this results only in a system crash (a DoS due to, for example, a NULL pointer dereference) the flaw impact is low but it still exists. In case of a flaw which results in a privilege escalation the flaw's impact is higher.

So the Red Hat would still consider bugs which require mounting a filesystem image to exploit as security flaws, though with Low severity.
Comment 7 Justin M. Forbes 2018-09-11 20:42:46 UTC 
This is fixed for Fedora with the 4.18 rebases.
Note You need to log in before you can comment on or make changes to this bug.