Linux Kernel Btrfs Qgroup Reserve Overflow Vulnerability

A vulnerability in the Linux kernel's Btrfs file system allows for a quota group (qgroup) reserve overflow. This issue arises because the 'bytes_changed' variable, used to track the amount of data reserved for the EXTENT_QGROUP_RESERVED state, is defined as an unsigned int. When attempting to allocate a range larger than 4 GiB, this variable can overflow, leading to an incorrect reservation of bytes and a breach of the qgroup limit. The vulnerability is exploited through the 'fallocate' command, which can bypass the intended 256 MiB per extent limit, causing the qgroup limit to be exceeded.

Impact

Exploitation of this vulnerability can lead to a violation of the Btrfs qgroup limits, allowing for excessive data references that exceed the configured quotas.

Reproduction

The vulnerability can be reproduced by creating a Btrfs file system and enabling quota management. After setting a qgroup limit of 2 GiB, attempting to allocate a 5 GiB file using the 'fallocate' command will succeed, despite exceeding the qgroup limit. This can be verified by checking the qgroup usage, which will show the limit has been breached.