| **Vulnerability Description** |
| |
| The vulnerability exists in the Btrfs file system, specifically in the `tree-log.c` file. It occurs when a directory or file is renamed, and the log replay process fails to correctly update the hard links, leading to an inconsistent state. |
| |
| **Technical Details** |
| |
| When a rename operation is performed, the old parent directory's log needs to be re-logged to ensure that the old dentry (directory entry) is deleted during log replay. However, in affected versions of the kernel, this step is missing, causing the old hard link to remain present. |
| |
| The vulnerability is triggered when the `btrfs_commit_transaction` function fails with an IO error (-5), leading to a series of errors, including: |
| |
| * `BTRFS: error (device sdc) in btrfs_commit_transaction:2381: errno=-5 IO failure` |
| * `BTRFS warning (device sdc): Skipping commit of aborted transaction.` |
| * `BTRFS: error (device sdc) in cleanup_transaction:1978: errno=-5 IO failure` |
| * `BTRFS: error (device sdc) in btrfs_replay_log:2431: errno=-5 IO failure (Failed to recover log tree)` |
| * `BTRFS error (device sdc): open_ctree failed` |
| |
| **Impact** |
| |
| If the moved inode was a file, the log replay would succeed, but both the new and old hard links would remain present, causing data inconsistency. |
| |
| **Fix** |
| |
| The fix involves forcing re-logging of the old parent directory when logging the new name during a rename operation. This ensures that the log is authoritative for a range covering the keys for the old dentry, leading to its deletion during log replay. |
| |
| **Affected and Fixed Versions** |
| |
| The vulnerability was introduced in kernel version 5.12 with commit `64d6b281ba4d` and fixed in versions 5.12.7 with commit `6d0924c5b742` and 5.13 with commit `54a40fc3a1da`. |
| |
| **Mitigation** |
| |
| The Linux kernel CVE team recommends updating to the latest stable kernel version to resolve this issue, as individual changes are never tested alone. Cherry-picking individual commits is not recommended or supported by the Linux kernel community. |
| |