Linux Kernel Btrfs Component Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Btrfs file system component of the Linux kernel. This issue arises when the 'read_one_chunk' function processes a missing device, leading to a potential memory corruption. The vulnerability occurs because the error code is not properly stored before the 'extent_map' is freed, despite being a reference-counted structure. The problem can manifest when a chunk is located on a missing device and the 'degraded' mount option is not enabled.

Impact

Exploitation of this vulnerability can lead to memory corruption, potentially allowing for arbitrary code execution or causing a system crash.

Reproduction

To reproduce this vulnerability, mount a Btrfs file system with chunks stored on a device that is intentionally made unavailable, and do not use the 'degraded' mount option. This will trigger the 'read_one_chunk' function to handle the missing device improperly, creating a use-after-free condition.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been patched.