Vigil@nce: Linux kernel, file access via BTRFS_IOC_CLONE
July 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
On a btrfs filesystem, a local attacker can use BTRFS_IOC_CLONE*,
in order to read or write a file.
– Severity: 2/4
– Creation date: 21/07/2010
DESCRIPTION OF THE VULNERABILITY
The btrfs filesystem is supported since Linux kernel version
2.6.29. The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls can
be used to copy files. These ioctls are impacted by two
vulnerabilities.
These ioctls do not check if the destination file has the
append-only attribute mode before writing to it. [severity:2/4;
BID-41847, CVE-2010-2537]
The BTRFS_IOC_CLONE_RANGE ioctl does not correctly check the range
of the source file, which may be used to read data. [severity:1/4;
BID-41854, CVE-2010-2538]
On a btrfs filesystem, a local attacker can therefore use
BTRFS_IOC_CLONE*, in order to read or write a file.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-file-access-via-BTRFS-IOC-CLONE-9782