Ubuntu
linux package

btrfs tree balance can be triggered by non-root user

Bug #695259 reported by Aron Xu
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Linux
Fix Released
Undecided
auto-linux-btrfs
btrfs-tools (Ubuntu)
Invalid
Undecided
Unassigned
linux (Ubuntu)
Fix Released
Low
Unassigned
linux-2.6 (Debian)
Fix Released
Unknown

Bug Description

Balance tree action of btrfs command should be limited to only root user, because it may cause data corrupt and usually result in an uninterruptible process which is causing a heavy I/O load (the process may keep runing for a long time because the action is not a easy deal).

Run the following command as a non-root user will also start the balance tree action ( / is btrfs here, with ext4 /boot):
$ btrfs filesystem balance /

I think this problem will cause serious issues if somebody uses it in a production system (though it is really not recommended).

What's more, I'm not sure whether this should be a bug in the Linux kernel/btrfs-tools, because such action is actually performed by using system calls. If I try to make a snapshot in a directory by a user who does not have the access, it will generate an error like this:
$ pwd
/home
$ whoami
aron
$ btrfs subvolume snapshot . backhome
Create a snapshot of '.' in './backhome'
ERROR: cannot snapshot '.

I think at least a workaround is needed to be settled in btrfs-tools (geteuid test) before the kernel side has this problem fixed.

See original description
Aron Xu (happyaron)
description: updated
isoma (isoma)
summary: - balance tree action should be only triggered by root
+ btrfs tree balance can be triggered by non-root user
Kees Cook (kees)
Changed in btrfs-tools (Ubuntu):
status: New → Invalid
Marc Deslauriers (mdeslaur)
Changed in linux (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
Revision history for this message
Kees Cook (kees) wrote :

This looks like a local DoS. Have you reported this to the upstream btrfs mailing list?

Changed in linux (Ubuntu):
status: Confirmed → Incomplete
status: Incomplete → Confirmed
Revision history for this message
Aron Xu (happyaron) wrote :

Hi Kees,

Debian kernel team have given it a fix, and reported to upstream. Here is the link:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608185

Gary M (garym)
security vulnerability: no → yes
Bug Watch Updater (bug-watch-updater)
Changed in linux-2.6 (Debian):
status: Unknown → Fix Released
Revision history for this message
Gary M (garym) wrote :

Emailed to linux-btrfs by Ben Hutchings. Submitted to linux-kernel: git pull request for 2.6.38-rc1.

Changed in linux:
status: New → Fix Released
Revision history for this message
Gary M (garym) wrote :

Released also for lucid as 2.6.32.40+drm33.17 and maverick backport 2.6.35-32.66~lucid1.

Changed in linux (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Gary M (garym) wrote :

And included in linux releases 2.6.32.40, 2.6.34.11 & 2.6.35.14.

Gary M (garym)
tags: added: lucid maverick natty
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.