Linux Kernel Btrfs Qgroup Memory Leak Vulnerability

A memory leak vulnerability has been identified in the Linux kernel's Btrfs file system, specifically within the Qgroup management functions. The issue arises in the 'btrfs_add_qgroup_relation' function when it is called with invalid Qgroup levels (source level greater than or equal to destination level). In such cases, the function returns an error without freeing the preallocated Qgroup list, leading to a memory leak. This leak occurs because the caller sets the pointer to NULL after the function call, preventing any cleanup. The vulnerability can be exploited by an unprivileged user with access to a writable Btrfs mount, potentially exhausting kernel memory.

Impact

Exploitation of this vulnerability can lead to a memory leak of 64 bytes per failed operation, with the potential to exhaust kernel memory.

Reproduction

The vulnerability can be reproduced by calling the 'btrfs_add_qgroup_relation' function with invalid Qgroup levels (where the source level is greater than or equal to the destination level). This can be done through the 'btrfs_ioctl_qgroup_assign' function, which allocates memory for the Qgroup list, passes it to 'btrfs_add_qgroup_relation', and then sets the pointer to NULL, effectively losing reference to the allocated memory. When the level check fails, the allocated memory is not freed, causing a leak.

Remediation

The vulnerability has been fixed by modifying the 'btrfs_add_qgroup_relation' function to free the preallocated Qgroup list before returning an error, ensuring that memory is properly managed on all error paths.