Linux Kernel Btrfs NULL Pointer Dereference Vulnerability in Subvolume Mounting

A vulnerability in the Linux kernel's Btrfs file system can lead to a NULL pointer dereference. This issue occurs in the 'btrfs_get_tree_subvol' function when the 'super_copy' or 'super_for_commit' fields of the 'fs_info' structure fail to allocate properly. In such cases, the 'btrfs_free_fs_info' function should not be called, as the 'fs_info' would still be partially initialized. However, if this condition is not handled, the 'btrfs_check_leaked_roots' function can inadvertently access a NULL pointer, leading to a crash. This vulnerability was reported by syzkaller.

Impact

Exploitation of this vulnerability causes a kernel crash due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by mounting a Btrfs subvolume in a way that triggers a failure in allocating the 'super_copy' or 'super_for_commit' fields in the 'fs_info' structure. This can be done by using the 'syz_mount' syscall, which is part of the syzkaller fuzzing tool. The failure in allocation should be simulated, after which the 'btrfs_check_leaked_roots' function will access an uninitialized 'fs_info' structure, leading to a page fault and a kernel crash.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading can be found in the official Linux kernel documentation.