Linux Kernel Btrfs Use-After-Free Vulnerability in Block Group Management

A use-after-free vulnerability has been identified in the Btrfs file system component of the Linux kernel. This issue arises during the management of block groups, specifically when a newly created block group becomes unused before its creation process is completed. The vulnerability is present in Linux kernel versions through 6.4.0-rc6. When the Btrfs system attempts to mark the block group as unused, it incorrectly assumes the block group is in the reclaim list, leading to improper management of the block group's reference count. This mismanagement can cause assertion failures and kernel crashes, as demonstrated by a test case that triggered the vulnerability.

Impact

Exploitation of this vulnerability leads to a kernel crash, commonly referred to as a 'kernel panic', caused by a reference count underflow. This type of crash can disrupt system operations and potentially lead to data loss.

Reproduction

The vulnerability can be reproduced by creating a new block group in Btrfs and allowing it to become unused before the creation process is fully completed. This can be done by interrupting the block group creation with another operation that marks it as unused, such as unmounting the file system. The resulting assertion failure and stack trace will indicate the vulnerability has been triggered.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed. Instructions for upgrading the Linux kernel can be found in the documentation for the specific Linux distribution in use.