Linux Kernel Btrfs Filesystem Transaction Abort Vulnerability During Snapshotting

A vulnerability in the Linux kernel's Btrfs filesystem allows a user to cause a transaction abort by repeatedly snapshotting a received snapshot. This can lead to an overflow of the BTRFS_UUID_KEY_RECEIVED_SUBVOL item, causing the filesystem to become read-only. The snapshotting process, along with the sending and receiving of subvolumes, does not require administrative privileges, potentially allowing a malicious user to disrupt system operations by forcing the filesystem into a read-only state.

Impact

Exploiting this vulnerability causes the Btrfs filesystem to enter a read-only state, disrupting normal file operations and potentially leading to system instability.

Reproduction

The vulnerability can be reproduced by creating a Btrfs subvolume, sending it to a snapshot directory, and then receiving it back. After that, the received subvolume can be repeatedly snapshot until the UUID item overflow occurs, causing a transaction abort and the filesystem to become read-only.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.