Linux Kernel Btrfs NULL Pointer Dereference Vulnerability in Scrub Operation

A vulnerability in the Linux kernel's Btrfs file system has been identified, where a NULL pointer dereference can occur during a read-only scrub operation. This issue arises when the file system is mounted with the 'rescue=idatacsums' option, which skips loading the checksum tree. As a result, the scrub operation attempts to read data without proper checksum verification, leading to a crash. The vulnerability affects Linux kernel versions 6.15.0-rc3 and prior.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, mount a Btrfs file system with the 'rescue=idatacsums' option. Then, initiate a read-only scrub operation. The scrub process will crash, triggering a kernel NULL pointer dereference error. This occurs because the 'idatacsums' option prevents the loading of the checksum tree, causing the scrub operation to operate without necessary data verification.

Remediation

Users can avoid this vulnerability by not using the 'rescue=idatacsums' mount option, ensuring that the checksum tree is properly loaded and verified during scrub operations.