Linux Kernel Btrfs Double Free Vulnerability in Qgroup Record Handling

A double free vulnerability has been identified in the Linux kernel's Btrfs file system, specifically in the management of quota group (qgroup) records. This issue arises in versions of the Linux kernel prior to the latest stable release, when the 'add_delayed_ref_head()' function encounters an error after a qgroup record has been acknowledged as existing. The function's failure prevents it from nullifying the pointer to the record before it is freed, leading to a scenario where memory is deallocated twice. The vulnerability stems from unclear ownership responsibilities for the qgroup record between the caller and the callee, creating a risk of memory corruption.

Impact

Exploitation of this vulnerability can lead to memory corruption due to the double free, which may cause undefined behavior in the kernel, potentially allowing for arbitrary code execution or escalation of privileges.

Reproduction

To reproduce this vulnerability, a scenario must be created where a qgroup record is first reported as existing, and then an error occurs when attempting to add a delayed reference head for that record. This can be achieved by manipulating the Btrfs quota group tracing logic to simulate the error condition, while ensuring that the record is still treated as valid. Once the error is triggered, the record will be freed without the pointer being properly reset, causing the double free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.