In the Linux Kernel, a vulnerability has been resolved that concerns the Btrfs (B-tree filesystem) - a copy-on-write (CoW) file system designed specifically for Linux. This issue revolves around the use-after-free bug in the do_zone_finish() function, and it was reported by Shinichiro.

- Linux Kernel Git Repository
- Latest Stable Linux Kernel Releases
- Btrfs Wiki

Exploit Details

This blog post details the use-after-free vulnerability in the function do_zone_finish() in the Btrfs subsystem of the Linux kernel. This vulnerability was triggered by the device replace operation in fstests btrfs/070.

The issue surfaced when memory that was already freed was accessed in the do_zone_finish() function. Analysis showed that the vulnerability occurred because stale zone information from an already removed btrfs_device was being accessed in do_zone_finish(). This sequence of events led to the problem:

The btrfs_dev_replace_start function called btrfs_scrub_dev.

2. The btrfs_scrub_dev function called btrfs_dev_replace_finishing, leading to devices being replaced within the btrfs_dev_replace_update_device_in_mapping_tree.
3. The btrfs_dev_replace_finishing function called btrfs_rm_dev_replace_free_srcdev followed by btrfs_free_device, ultimately resulting in the device being freed.
4. Lastly, the cleaner_kthread function called btrfs_delete_unused_bgs, then btrfs_zone_finish, and finally, do_zone_finish, which referred to the memory that had been freed.

To mitigate this use-after-free vulnerability, the developers have fixed the issue in the Linux kernel's Btrfs implementation. By addressing this vulnerability, the kernel is now more secure and less prone to crashes and potential exploits.

The following code snippet highlights the problematic section within the do_zone_finish() function

...
btrfs_dev_replace_start()
  btrfs_scrub_dev()
   btrfs_dev_replace_finishing()
    btrfs_dev_replace_update_device_in_mapping_tree()
    btrfs_rm_dev_replace_free_srcdev()
     btrfs_free_device()

cleaner_kthread()
 btrfs_delete_unused_bgs()
  btrfs_zone_finish()
   do_zone_finish()
...

The above code snippet shows that in the chain of functions being called, do_zone_finish() referred to memory that had already been freed. By fixing this use-after-free bug in the Linux kernel, improved system security and stability can be ensured. If you are using a Linux system with the Btrfs file system, make sure to update your kernel to the latest stable version to avoid being vulnerable to this issue.

Timeline

Published on: 05/01/2024 06:15:10 UTC
Last modified on: 01/14/2025 14:29:21 UTC