A recent vulnerability in the Linux kernel (CVE-2024-56774) related to Btrfs file system has been addressed and resolved. The issue encountered was a null-pointer dereference in the btrfs_search_slot() function. This vulnerability opened the door for potential crashes and other undesired behavior within the Linux kernel.

Background

Syzbot, an automated tool dedicated to finding bugs within the Linux kernel, reported the null-ptr-deref issue in btrfs_search_slot(). The problem occurred when using the rescue=ibadroots option, causing the extent tree root to be corrupted and thus resulting in a null extent tree.

Upon further analysis, it was discovered that the btrfs_search_slot() function did not check whether the target root was null or not before attempting to use it. This oversight led to the null-pointer dereference vulnerability.

Resolution

To resolve this issue, developers added a sanity check for the Btrfs root in the btrfs_search_slot() function. This update ensures that the function properly checks if the target root is null before proceeding with its operations and prevents the null-ptr-deref vulnerability from occurring.

Here's the code snippet demonstrating the added sanity check for the Btrfs root in btrfs_search_slot():

int btrfs_search_slot(struct btrfs_trans_handle *trans,
                      struct btrfs_root *root,
                      struct btrfs_path *p_path,
                      int ins_len) {
    int ret;

    /* Sanity check for null root */
    if (!root) {
        btrfs_err_rl(root->fs_info, "null root encountered in btrfs_search_slot()");
        return -EINVAL;
    }

    // Rest of the function logic...
}

References

For more information and the complete set of changes regarding this vulnerability and its resolution, please refer to the following resources:

Exploit Details

Prior to the resolution of this vulnerability, an attacker could potentially exploit the null-ptr-deref issue in btrfs_search_slot() by crafting a specific sequence of events to trigger the null-pointer dereference, leading to a kernel crash or other undesired behavior.

With the addition of the sanity check for the Btrfs root in the btrfs_search_slot() function, this vulnerability has been effectively mitigated, and the specific attack vector no longer poses a threat to the Linux kernel.

Conclusion

CVE-2024-56774 was a significant vulnerability in the Linux kernel involving a null-pointer dereference issue in the Btrfs file system. Thanks to the diligent work of developers and the automated bug finding capabilities of Syzbot, this issue has now been resolved through the implementation of a sanity check for the Btrfs root. This resolution ensures that the Linux kernel remains robust and secure from this specific attack vector.

Timeline

Published on: 01/08/2025 18:15:18 UTC
Last modified on: 01/20/2025 06:27:54 UTC