Linux Kernel Btrfs Free Space Tree Assertion Failure Vulnerability

An assertion failure vulnerability has been identified in the Linux kernel's Btrfs file system, specifically when the block group tree feature is enabled. During the process of rebuilding the free space tree, an empty block group can be encountered, leading to a kernel bug. This issue arises because the block group has no allocated extents or items, including the block group item itself, which is stored in a dedicated tree under the block group tree feature. The vulnerability manifests as a kernel bug assertion failure, indicating a flaw in the handling of free space management for certain block groups.

Impact

The vulnerability causes a kernel assertion failure, leading to a kernel panic and crash. This disrupts system operations and can cause a denial of service by making the system unresponsive or unavailable.

Reproduction

To reproduce this vulnerability, enable the block group tree feature in the Btrfs file system. Then, create an empty block group with no allocated extents or items. When the free space tree is rebuilt, the assertion failure will occur, triggering a kernel bug. This can be automated with a syzkaller fuzzer, which will generate the necessary conditions to hit the bug.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been addressed. The specific commit containing the fix is available in the Linux kernel stable tree.