ASA-2019-00658 – Linux kernel: Mounting a crafted btrfs filesystem image can lead to a use-after-free through syncfs system call

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00658

Identifier(s)

ASA-2019-00658, CVE-2019-19448

Title

Mounting a crafted btrfs filesystem image can lead to a use-after-free through syncfs system call

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel version 5.0.21
Linux kernel version 5.3.11

Fixed version(s)

Unknown

Proof of concept

Yes

Description

Mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in fs/btrfs/free-space-cache.c because the pointer to a left data structure (left_info) can be the same as the pointer to a right (right_info) data structure.

Technical details

Unknown

Credits

Team bobfuzzer

Reference(s)

btrfs: keep track of discardable_bytes for async discard
https://github.com/torvalds/linux/commit/5dc7c10b87474c98116d3438739743cd77263e9f#diff-c878927f29d8561258ac24cef343b9e3

btrfs: track discardable extents for async discard
https://github.com/torvalds/linux/commit/dfb79ddb130e0a239e3e90aaf5f5b908555f52bb#diff-c878927f29d8561258ac24cef343b9e3

btrfs: discard one region at a time in async discard
https://github.com/torvalds/linux/commit/2bee7eb8bb8185679ea282b8ccff6bfabcf52a63#diff-c878927f29d8561258ac24cef343b9e3

btrfs: handle empty block_group removal for async discard
https://github.com/torvalds/linux/commit/6e80d4f8c422d3b2b0c37324d3243f5ed9b558c8#diff-c878927f29d8561258ac24cef343b9e3

btrfs: add the beginning of async discard, discard workqueue
https://github.com/torvalds/linux/commit/b0643e59cfa609c4b5f246f2b2c33b078f87e9d9#diff-c878927f29d8561258ac24cef343b9e3

btrfs: keep track of free space bitmap trim status cleanliness
https://github.com/torvalds/linux/commit/da080fe1bad4777b02f6a3db42823a8797aadbca#diff-c878927f29d8561258ac24cef343b9e3

btrfs: keep track of which extents have been discarded
https://github.com/torvalds/linux/commit/a7ccb255852413dd59263e551fd0ef13f76fc9b9#diff-c878927f29d8561258ac24cef343b9e3

CVE/CVE-2019-19448 at master · bobfuzzer/CVE · GitHub
https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19448

CVE-2019-19448 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-19448

CVE-2019-19448 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19448.html

CVE-2019-19448 | SUSE
https://www.suse.com/security/cve/CVE-2019-19448

CVE-2019-19448
https://security-tracker.debian.org/tracker/CVE-2019-19448

CVE-2019-19448
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19448

CVE-2019-19448
https://nvd.nist.gov/vuln/detail/CVE-2019-19448

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 17, 2020

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.