Linux Kernel Double Free Vulnerability in Btrfs Space Info Sub-Group Handling

A double free vulnerability has been identified in the Linux kernel's Btrfs file system management. This issue arises in the 'create_space_info_sub_group' function, where a failure in initializing a kobject leads to the premature release of a memory structure. The error handling process inadvertently frees the same memory twice, creating a potential for memory corruption. This vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability could lead to memory corruption, which may be leveraged to execute arbitrary code or cause a denial of service by crashing the system.

Reproduction

To reproduce this vulnerability, create a Btrfs file system and introduce a scenario where the 'kobject_init_and_add' function fails after a sub-group has been allocated but before it has been fully initialized. This can be done by modifying the Btrfs space information handling to simulate a kobject initialization failure. Once the failure occurs, the error path will be triggered, leading to the sub-group being freed twice.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed. Instructions for downloading the latest kernel version can be found on the official Linux kernel website.