Bug 1102721 - (CVE-2018-14722) VUL-0: CVE-2018-14722: btrfsmaintenance: Code execution
VUL-0: CVE-2018-14722: btrfsmaintenance: Code execution
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: David Sterba
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2018-07-26 09:28 UTC by Karol Babioch
Modified: 2021-07-19 14:26 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-07-26 09:28:30 UTC

I just stumbled across the evaluate_auto_mountpoint function in

# function: evaluate_auto_mountpoint
# parameter: A variable name
# this function checks whether the variable contains the special keyword "auto"
# if yes, all currently mounted btrfs filesystems are evaluated and their mountpoints
# are put into the parameter variable
evaluate_auto_mountpoint() {
        if [ "$(eval expr \"$MOUNTPOINTSVAR\")" = "auto" ]; then
                # find one (and only one) corresponding mountpoint for each btrfs device node
                for DEVICE in $BTRFS_DEVICES; do
                        MNT=$(findmnt --types btrfs --first-only --noheadings --output "TARGET" --source "$DEVICE")
                        if [ -n "$MNTLIST" ]; then
                echo "evaluate mounted filesystems: $MNTLIST"
                eval "$1=$MNTLIST"

The 'eval "$1=$MNTLIST"' allows bash command evaluation.
This is triggered by btrfs-{scrub,balance,trim}.timer units if the respective
option in /etc/sysconfig/btrfsmaintenance is set to "auto". Fortunately that is
not the default.


> mkfs.btrfs -fL '`logger pwned`' /dev/sdc2
(mount as user using your favorite tool)
> (as root, to accelerate) systemctl start btrfs-trim
> journalctl
Jul 26 10:55:57 linux-e202.suse.de btrfs-trim.sh[23928]: evaluate mounted filesystems: /run/media/fvogt/`logger pwned`
Jul 26 10:55:57 linux-e202.suse.de root[23943]: pwned

Comment 8 Karol Babioch 2018-07-30 06:42:16 UTC
CVE-2018-14722 has been assigned to this. We are planning to announce this via linux-distros to let other distributions know. This will give us (at maximum) a two weeks window of opportunity to get this fixed in time.
Comment 14 David Sterba 2018-08-09 12:33:02 UTC
Created attachment 779339 [details]

Fixed typo, updated changelog.
Comment 16 Fabian Vogt 2018-08-09 12:54:55 UTC
Comment on attachment 779339 [details]

There's a typo in the commit message:

> mkfs.btrfs --label "`/evil/command`' /dev/sdx

The only bug that remains is that with ":" in mountpoints it won't do its job for that device, but not break anything else. So not a security relevant bug AFAICT.
Comment 17 Marcus Meissner 2018-08-14 15:54:15 UTC
making public
Comment 19 David Sterba 2018-09-25 14:16:55 UTC
Upstream release 0.4.2 contains the fix, now submitted to Factory. I'll continue with SLE15 update.
Comment 20 Johannes Segitz 2018-10-09 11:08:35 UTC
(In reply to David Sterba from comment #19)
didn't see it until now, please submit.  Thank you
Comment 23 Marcus Meissner 2021-07-19 14:26:25 UTC
not yet submitte for SUSE:SLE-15:Update.

we rate it below cvss v3.1 score 7, so we will not addres it for SLE 15 update.