Linux Kernel Btrfs Use-After-Free Vulnerability in Transaction Management

A use-after-free vulnerability has been identified in the Linux kernel's Btrfs file system, specifically in the transaction management process. The issue arises when the system attempts to join a transaction that has been aborted. After unlocking the transaction lock, the system reads the 'aborted' field, creating a window where a concurrent task can free the transaction, leading to a use-after-free condition. This vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can potentially be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by initiating a transaction and then aborting it while another process is attempting to join the transaction. This can be done using a workload that triggers the transaction management functions in Btrfs, such as creating or modifying files in a way that requires transaction handling. The 'aborted' field can then be read after the transaction has been freed, causing the use-after-free condition.

Remediation

Users should upgrade to the latest stable version of the Linux kernel where this vulnerability has been addressed.