David Sterba

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A vulnerability in the Linux kernel has been resolved, related to the btrfs file system. The issue occurs when updating the action of an existing reference to BTRFS DROP DELAYED REF, which deletes the reference from its list using `list del()`. This leaves the reference's `add list` member not reinitialized, causing a crash when `drop delayed ref()` is called later. The crash happens because `list empty()` returns false due to the list not being reinitialized after `list del()`, leading to an invalid list access. This results in a splat if `CONFIG LIST HARDENED` and `CONFIG DEBUG LIST` are set, or invalid poison pointer dereferences otherwise. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.48/6.10.7 **Description** A use-after-free vulnerability has been identified in the Linux kernel's btrfs file system, specifically in the `btrfs submit chunk()` function. This vulnerability can be triggered when the kernel encounters an error while processing a read bio, leading to a double-freeing of memory and potentially causing a use-after-free condition. The vulnerability is caused by the `btrfs bio end io()` function calling the original endio function, which frees the whole bio, and then later calling the original endio function again, causing a double freeing. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix for this vulnerability, which is versions 6.6.48/6.10.7 or later. As a temporary workaround, consider disabling the `btrfs submit chunk()` function until a patch is available. However, this workaround may have significant performance implications and should be used with caution.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a memory leak in the btrfs component of the Linux kernel. When `btrfs qgroup reserve data()` or `btrfs delalloc reserve metadata()` fail, the allocated `extent changeset` is not freed, leading to a memory leak. This issue only occurs in the direct IO write path, specifically after a certain commit (`65b3c08606e5`) that fixed an ENOSPC failure when attempting direct IO write into a NOCOW range, and also at `defrag one locked target()`. The memory leak can cause problems, but the exact impact is not specified. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free vulnerability in the btrfs load zone info() function, which can be triggered by a race condition with a device replace operation. This happens because the function extracts a device from the chunk map into a local variable and then uses the device while not under the protection of the device replace rwsem. If a device replace operation occurs while the device is being extracted and the device is the source of the replace operation, a use-after-free can be triggered if the replace operation finishes and frees the device before the function finishes using it. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the btrfs component of the Linux kernel and involves an error in handling chunk tree lookup in the `btrfs relocate sys chunks()` function. This error can lead to corruption and potentially allow an attacker to cause a denial of service. The vulnerability is caused by two impossible conditions: the search key being set up to look for a chunk tree item with an offset of -1, and the found key corresponding to a chunk item after a successful search. The offset is decremented by 1 before the next loop, making it impossible to find a chunk item due to alignment and size constraints. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the btrfs send component in the Linux kernel, specifically with error handling in the `iterate inode ref()` function. This can potentially lead to a denial of service. The problem arises when building the path buffer fails, and the code has been updated to handle this situation properly, preventing potential kernel address leaks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A deadlock vulnerability has been found in the Linux kernel, specifically in the btrfs file system. The issue occurs when the quota disable ioctl starts a transaction before waiting for the qgroup rescan worker to complete, resulting in a circular dependency among the quota disable ioctl, the qgroup rescan worker, and other tasks with transactions. This can lead to an infinite wait and a deadlock. The vulnerability was discovered using the fstests test case btrfs/115 and a zoned null blk device. An example report of the deadlock is provided, showing tasks blocked for more than 122 seconds. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue occurs due to incorrect abort logic in the `btrfs replace file extents` function. Error injection testing revealed a case where a corrupt file system with a missing extent in the middle of a file could occur. The problem arises because the if statement to decide if an abort is necessary is incorrect. The only situation where an abort would happen is if a specific error code (`-EOPNOTSUPP`) is not returned and the call comes from the file clone code. However, the prealloc code also uses this path, and instead, an abort should occur if there is an error, except for the `-EOPNOTSUPP` error when coming from the clone file code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.3.3 **Description** The issue allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging improper access to a certain error field in the ext4 journal stop function. **Recommendations** For versions prior to 4.3.3, update to version 4.3.3 or later to resolve the issue.