Linux Kernel Btrfs Filesystem Denial-of-Service Vulnerability via Name Hash Collision

A vulnerability in the Btrfs filesystem of the Linux kernel can lead to a denial-of-service condition. When multiple files are created with names that produce the same hash, they must be stored in the same directory item. This storage method has a limit based on the size of the leaf node. If the limit is exceeded, it causes a transaction abort, which in turn forces the filesystem into read-only mode. This issue can be exploited by a malicious user without requiring administrative privileges.

Impact

Exploitation of this vulnerability causes the Btrfs filesystem to enter a read-only state, disrupting normal file operations.

Reproduction

The vulnerability can be reproduced by creating a Btrfs filesystem with a small node size, which increases the likelihood of hash collisions. After mounting the filesystem, a series of file names that are known to collide can be created. Once the directory item limit is reached, adding another file that causes a collision will trigger the transaction abort, as indicated by the system logs. This process can be automated with a script that performs these actions and checks the resulting filesystem state.

Remediation

The vulnerability has been addressed in Linux kernel commits 2d1ababdedd4ba38867c2500eb7f95af5ddeeef7, 36947b5200b89bbe3a63629c12d4b31c84c0af9f, 5e2ea10b800d1bbb95e0c01a83f4f8119ac5d688, 64ad49597d14c495ab8b7933bfefc83936a598e4, and 9273175bf16c83f3ec93aa242d78c9b5db452d4d.