CVE-2023-4389 - Double Decrement of Reference Count in btrfs_get_root_ref Results in Linux Kernel Vulnerability

!Linux Kernel Vulnerability

A new vulnerability has been discovered in the Linux Kernel, specifically in the btrfs filesystem. This dangerous flaw, dubbed as CVE-2023-4389, has the potential to be exploited by a local attacker with user privileges to crash the system or leak internal kernel information.

The Details

This vulnerability lies in the btrfs_get_root_ref function within the fs/btrfs/disk-io.c file. It is caused by a double decrement of the reference count, which can set off a chain of events that allows the attacker to wreak havoc on the system.

Here's the problematic code snippet

int btrfs_get_root_ref(struct btrfs_root *root, const char **name,
		       int *name_len)
{
	int ret;
	struct btrfs_path *path;
	struct btrfs_key key;
	struct extent_buffer *leaf;
	struct btrfs_root_ref *ref;

	path = btrfs_alloc_path();
	if (!path)
		return -ENOMEM;

	key.objectid = root->root_key.objectid;
	key.type = BTRFS_ROOT_REF_KEY;
	key.offset = root->root_key.offset;

	while (1) {
		ret = btrfs_search_slot(NULL, root->fs_info->tree_root, &key,
					path, , );
		if (ret < ) {
			btrfs_free_path(path);
			return ret;
		}

		leaf = path->nodes[];
		if (ret > ) {
			ret = -ENOENT;
			goto out;
		}

		ref = btrfs_item_ptr(leaf, path->slots[],
				     struct btrfs_root_ref);
		*name_len = btrfs_root_name_len(leaf, ref);
		*name = btrfs_root_name(leaf, ref);

		ret = ;
out:
		btrfs_free_path(path); // <-- Problematic double decrement
		return ret;
	}
}

The issue occurs at the marked btrfs_free_path(path) call, which is responsible for the double decrement of the reference count.

Original references

- flaw commit
- fix commit

Exploiting the Vulnerability

To exploit this flaw, an attacker must have local user privileges to crash the system. A well-crafted exploit leveraging this vulnerability can lead to the leakage of internal kernel information, posing a threat to the security of the system and its users.

Unfortunately, there are no known mitigations or workarounds available for this specific vulnerability yet. System administrators are strongly encouraged to keep an eye on updates and patches as they become available.

Conclusion

CVE-2023-4389 highlights a critical vulnerability in the Linux Kernel's btrfs filesystem, potentially allowing an attacker to crash the system or gain unauthorized access to internal kernel information. It is crucial for system administrators and users alike to stay vigilant against such threats and promptly apply any available security patches or updates.

Timeline

Published on: 08/16/2023 19:15:10 UTC
Last modified on: 11/07/2023 04:22:30 UTC