Linux Kernel Btrfs NULL Pointer Dereference Vulnerability

A NULL pointer dereference vulnerability has been identified in the Linux kernel's Btrfs file system. This issue arises during the scrub operation, which is intended to check the integrity of data and metadata. The vulnerability occurs when the extent tree, crucial for the scrub process, is corrupted. As a result, the scrub operation attempts to access a NULL pointer, leading to a kernel crash. The vulnerability affects Linux kernel versions through 6.13.0-rc4.

Impact

Exploitation of this vulnerability causes a kernel crash due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by using a corrupted Btrfs image that has a damaged extent tree root. Mount the image with the 'rescue=all,ro' option, which allows read-only access while ignoring certain errors. Once the image is mounted, initiate a scrub operation. The scrub process will fail because it relies on a valid extent tree to locate data and metadata extents. The 'scrub_find_fill_first_stripe' function, which is part of the scrub operation, does not account for a NULL pointer in the extent root, resulting in a crash.

Remediation

Users can upgrade to a patched version of the Linux kernel where this vulnerability has been addressed. For kernels older than 6.6, manual backporting of the fix is required.