Linux Kernel Btrfs Zoned Write Pre-allocation Null Pointer Dereference Vulnerability

A null pointer dereference vulnerability has been identified in the Btrfs file system of the Linux kernel. This issue occurs in the zoned mode when writing to pre-allocated regions, which is intended for data relocation. During this process, if a checksum is not available for the corresponding area, the function responsible for finalizing the ordered write can reference an invalid checksum item. This misalignment causes the logical address to become invalid, leading to a failure in locating the appropriate block group. As a result, an assertion is triggered or a null pointer dereference occurs, causing a crash. The vulnerability can be reproduced by running a specific Btrfs test case multiple times with a null block device setup, configured with a zone size of 32 MB and a total storage size of 5 GB.

Impact

Exploitation of this vulnerability causes a null pointer dereference, leading to a crash of the kernel process.

Reproduction

The vulnerability can be reproduced by running the Btrfs test suite, specifically the test case 'btrfs/028', several times (between 4 to 16 times) using a null block device. The null block device should be set up with a zone size and capacity of 32 MB, and a total storage size of 5 GB.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed. Instructions for downloading the latest version can be found on the official Linux kernel website.