Linux Kernel Btrfs Invalid Relocation Tree Root Key Vulnerability

A vulnerability in the Linux kernel's Btrfs file system has been addressed, concerning the handling of relocation tree root keys. The issue arose when an invalid relocation tree was detected, leading to a crash as an assertion failed. This mismatch occurred because relocation trees, which are meant for subvolume trees, were incorrectly associated with a quota tree that should not have had a relocation tree. The problem was traced back to corrupted on-disk data, which can trigger such assertions. The vulnerability has been fixed by ensuring that the tree-checker verifies root keys, allowing relocation trees only for subvolumes.

Impact

The vulnerability could lead to a denial of service by causing a system crash, as reported by Syzbot.

Reproduction

The vulnerability can be reproduced by creating an invalid relocation tree for a quota tree, which should not have a relocation tree. This can be done by corrupting the on-disk data to create a mismatch that the Btrfs file system's tree-checker does not catch, allowing the invalid state to trigger the assertion failure during normal operations.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux Kernel Stable PPA.