btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids()
Description
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids()
Mounting btrfs from two images (which have the same one fsid and two different dev_uuids) in certain executing order may trigger an UAF for variable 'device->bdev_file' in __btrfs_free_extra_devids(). And following are the details:
1. Attach image_1 to loop0, attach image_2 to loop1, and scan btrfs devices by ioctl(BTRFS_IOC_SCAN_DEV):
/ btrfs_device_1 → loop0 fs_device \ btrfs_device_2 → loop1 2. mount /dev/loop0 /mnt btrfs_open_devices btrfs_device_1->bdev_file = btrfs_get_bdev_and_sb(loop0) btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1) btrfs_fill_super open_ctree fail: btrfs_close_devices // -ENOMEM btrfs_close_bdev(btrfs_device_1) fput(btrfs_device_1->bdev_file) // btrfs_device_1->bdev_file is freed btrfs_close_bdev(btrfs_device_2) fput(btrfs_device_2->bdev_file)
3. mount /dev/loop1 /mnt btrfs_open_devices btrfs_get_bdev_and_sb(&bdev_file) // EIO, btrfs_device_1->bdev_file is not assigned, // which points to a freed memory area btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1) btrfs_fill_super open_ctree btrfs_free_extra_devids if (btrfs_device_1->bdev_file) fput(btrfs_device_1->bdev_file) // UAF !
Fix it by setting 'device->bdev_file' as 'NULL' after closing the btrfs_device in btrfs_close_one_device().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
12- osv-coords10 versionspkg:deb/ubuntu/linux@6.11.0-18.18?arch=source&distro=oracularpkg:deb/ubuntu/linux-aws@6.11.0-1009.10?arch=source&distro=oracularpkg:deb/ubuntu/linux-azure@6.11.0-1009.9?arch=source&distro=oracularpkg:deb/ubuntu/linux-gcp@6.11.0-1009.9?arch=source&distro=oracularpkg:deb/ubuntu/linux-lowlatency@6.11.0-1010.11?arch=source&distro=oracularpkg:deb/ubuntu/linux-oracle@6.11.0-1011.12?arch=source&distro=oracularpkg:deb/ubuntu/linux-raspi@6.11.0-1008.8?arch=source&distro=oracularpkg:deb/ubuntu/linux-realtime@6.11.0-1005.5?arch=source&distro=oracularpkg:rpm/opensuse/kernel-source&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/kernel-source-longterm&distro=openSUSE%20Tumbleweed
< 6.11.0-18.18+ 9 more
- (no CPE)range: < 6.11.0-18.18
- (no CPE)range: < 6.11.0-1009.10
- (no CPE)range: < 6.11.0-1009.9
- (no CPE)range: < 6.11.0-1009.9
- (no CPE)range: < 6.11.0-1010.11
- (no CPE)range: < 6.11.0-1011.12
- (no CPE)range: < 6.11.0-1008.8
- (no CPE)range: < 6.11.0-1005.5
- (no CPE)range: < 6.11.8-1.1
- (no CPE)range: < 6.12.11-1.1
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.