David Arendt

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.11.2 Description: A buffer overflow vulnerability has been identified in the Linux kernel, specifically in the btrfs send functionality. The issue arises from the incorrect handling of the `name` array in the `name cache entry` structure, which can lead to a buffer overflow detection error. This vulnerability can be exploited to potentially cause a denial-of-service or execute arbitrary code. The estimated number of potentially affected devices is not specified. Technical details about the exploitation include the use of the ` counted by()` function to annotate the `name` array, which is intended to improve overflow detection. However, the length of the `name` array does not match the `name len` field, resulting in a fortified kernel reporting a buffer overflow error. The `strcpy()` function is used to copy the path to the cache entry, which can lead to the buffer overflow. To fix this issue, the `name` array field should be marked with ` nonstring` and `memcpy()` should be used instead of `strcpy()`. Recommendations: To resolve this issue, upgrade the Linux kernel to a version later than 6.11.2. As a temporary workaround, consider disabling the btrfs send functionality until a patch is available. Restrict access to the btrfs module to minimize the risk of exploitation. Avoid using the `name` array in the affected API endpoint until the issue is resolved.