Linux Kernel Btrfs Filesystem Transaction Abort Vulnerability Due to Item Overflow

A vulnerability in the Linux kernel's Btrfs filesystem has been addressed, which involved a transaction abort triggered by an item overflow. This issue arose when the 'set received' ioctl was used to add UUIDs to subvolumes. If the same UUID was applied to multiple subvolumes, an overflow would occur, causing the transaction to abort and the filesystem to switch to read-only mode. Notably, this vulnerability could be exploited by users who own the subvolume, without requiring administrative privileges.

Impact

Exploitation of this vulnerability could lead to a denial of service, causing the Btrfs filesystem to become read-only and disrupting normal operations.

Reproduction

To reproduce this vulnerability, a user can call the 'set received' ioctl on a Btrfs subvolume with a UUID that has already been used for other subvolumes. This will cause an item overflow, trigger a transaction abort, and turn the filesystem into read-only mode.

Remediation

The vulnerability has been fixed by adding an early check for item overflow before starting a transaction, ensuring that such overflows do not occur and disrupt filesystem operations.