News
Vigil@nce - Linux kernel: denial of service by filename collision in a BTRFS filesystem
January 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker who can create files with arbitrary names, can select
these names in such a way that they trigger numerous collisions in
a hash function from the BTRFS filesystem, in order to block the
filesystem.
Impacted products: Linux
Severity: 2/4
Creation date: 17/12/2012
DESCRIPTION OF THE VULNERABILITY
BTRFS is a new filesystem for Linux, sometimes considered as still
in development.
The file order in a directory is meaningless, so BRTFS stores
these filenames in a hash table based on a CRC like function, this
data structure usually allows lookups in a constant time. The
mathematical definition of the CRC function makes very easy
finding an arbitrary large number of byte strings that have the
same CRC. However, the BTRFS code correctly manages only a small
number of collisions. When creating files, BTRFS handles only 61
collisions. When removing files, BTRFS seems to fall in an endless
loop for only about 10 collisions per hash value.
An attacker who can create files with arbitrary names, can
therefore select these names in such a way that they trigger
numerous collisions in a hash function from the BTRFS filesystem,
in order to block the filesystem.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
