Linux Kernel Btrfs Out-of-Bounds Write Vulnerability in btrfs_encode_fh() Function

A vulnerability has been identified in the Linux kernel's Btrfs file system implementation, specifically within the btrfs_encode_fh() function. This vulnerability arises from improper handling of file handle sizes, which can lead to an out-of-bounds write and potential memory corruption. The issue occurs when the function writes a connectable root size to the file handle, but the maximum length allowed is insufficient to accommodate it. As a result, an 8-byte out-of-bounds write occurs, overwriting memory and potentially leading to arbitrary code execution.

Impact

Exploitation of this vulnerability causes an 8-byte out-of-bounds write, which can overwrite memory and potentially lead to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by invoking the btrfs_encode_fh() function with an inode that has a parent with a different root ID. This will trigger the function to write a larger file handle size than initially reported, exceeding the allocated buffer and causing a memory corruption.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for upgrading can be found in the official Linux kernel documentation.