ghsa-r9cf-94mr-8v6q
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
btrfs: don't use btrfs_set_item_key_safe on RAID stripe-extents
Don't use btrfs_set_item_key_safe() to modify the keys in the RAID stripe-tree, as this can lead to corruption of the tree, which is caught by the checks in btrfs_set_item_key_safe():
BTRFS info (device nvme1n1): leaf 49168384 gen 15 total ptrs 194 free space 8329 owner 12 BTRFS info (device nvme1n1): refs 2 lock_owner 1030 current 1030 [ snip ] item 105 key (354549760 230 20480) itemoff 14587 itemsize 16 stride 0 devid 5 physical 67502080 item 106 key (354631680 230 4096) itemoff 14571 itemsize 16 stride 0 devid 1 physical 88559616 item 107 key (354631680 230 32768) itemoff 14555 itemsize 16 stride 0 devid 1 physical 88555520 item 108 key (354717696 230 28672) itemoff 14539 itemsize 16 stride 0 devid 2 physical 67604480 [ snip ] BTRFS critical (device nvme1n1): slot 106 key (354631680 230 32768) new key (354635776 230 4096) ------------[ cut here ]------------ kernel BUG at fs/btrfs/ctree.c:2602! Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 1 UID: 0 PID: 1055 Comm: fsstress Not tainted 6.13.0-rc1+ #1464 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:btrfs_set_item_key_safe+0xf7/0x270 Code: RSP: 0018:ffffc90001337ab0 EFLAGS: 00010287 RAX: 0000000000000000 RBX: ffff8881115fd000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000001 RDI: 00000000ffffffff RBP: ffff888110ed6f50 R08: 00000000ffffefff R09: ffffffff8244c500 R10: 00000000ffffefff R11: 00000000ffffffff R12: ffff888100586000 R13: 00000000000000c9 R14: ffffc90001337b1f R15: ffff888110f23b58 FS: 00007f7d75c72740(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa811652c60 CR3: 0000000111398001 CR4: 0000000000370eb0 Call Trace: ? __die_body.cold+0x14/0x1a ? die+0x2e/0x50 ? do_trap+0xca/0x110 ? do_error_trap+0x65/0x80 ? btrfs_set_item_key_safe+0xf7/0x270 ? exc_invalid_op+0x50/0x70 ? btrfs_set_item_key_safe+0xf7/0x270 ? asm_exc_invalid_op+0x1a/0x20 ? btrfs_set_item_key_safe+0xf7/0x270 btrfs_partially_delete_raid_extent+0xc4/0xe0 btrfs_delete_raid_extent+0x227/0x240 __btrfs_free_extent.isra.0+0x57f/0x9c0 ? exc_coproc_segment_overrun+0x40/0x40 __btrfs_run_delayed_refs+0x2fa/0xe80 btrfs_run_delayed_refs+0x81/0xe0 btrfs_commit_transaction+0x2dd/0xbe0 ? preempt_count_add+0x52/0xb0 btrfs_sync_file+0x375/0x4c0 do_fsync+0x39/0x70 __x64_sys_fsync+0x13/0x20 do_syscall_64+0x54/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f7d7550ef90 Code: RSP: 002b:00007ffd70237248 EFLAGS: 00000202 ORIG_RAX: 000000000000004a RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f7d7550ef90 RDX: 000000000000013a RSI: 000000000040eb28 RDI: 0000000000000004 RBP: 000000000000001b R08: 0000000000000078 R09: 00007ffd7023725c R10: 00007f7d75400390 R11: 0000000000000202 R12: 028f5c28f5c28f5c R13: 8f5c28f5c28f5c29 R14: 000000000040b520 R15: 00007f7d75c726c8
While the root cause of the tree order corruption isn't clear, using btrfs_duplicate_item() to copy the item and then adjusting both the key and the per-device physical addresses is a safe way to counter this problem.
{
"affected": [],
"aliases": [
"CVE-2025-21752"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-27T03:15:15Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don\u0027t use btrfs_set_item_key_safe on RAID stripe-extents\n\nDon\u0027t use btrfs_set_item_key_safe() to modify the keys in the RAID\nstripe-tree, as this can lead to corruption of the tree, which is caught\nby the checks in btrfs_set_item_key_safe():\n\n BTRFS info (device nvme1n1): leaf 49168384 gen 15 total ptrs 194 free space 8329 owner 12\n BTRFS info (device nvme1n1): refs 2 lock_owner 1030 current 1030\n [ snip ]\n item 105 key (354549760 230 20480) itemoff 14587 itemsize 16\n stride 0 devid 5 physical 67502080\n item 106 key (354631680 230 4096) itemoff 14571 itemsize 16\n stride 0 devid 1 physical 88559616\n item 107 key (354631680 230 32768) itemoff 14555 itemsize 16\n stride 0 devid 1 physical 88555520\n item 108 key (354717696 230 28672) itemoff 14539 itemsize 16\n stride 0 devid 2 physical 67604480\n [ snip ]\n BTRFS critical (device nvme1n1): slot 106 key (354631680 230 32768) new key (354635776 230 4096)\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/ctree.c:2602!\n Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 UID: 0 PID: 1055 Comm: fsstress Not tainted 6.13.0-rc1+ #1464\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n RIP: 0010:btrfs_set_item_key_safe+0xf7/0x270\n Code: \u003csnip\u003e\n RSP: 0018:ffffc90001337ab0 EFLAGS: 00010287\n RAX: 0000000000000000 RBX: ffff8881115fd000 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: 0000000000000001 RDI: 00000000ffffffff\n RBP: ffff888110ed6f50 R08: 00000000ffffefff R09: ffffffff8244c500\n R10: 00000000ffffefff R11: 00000000ffffffff R12: ffff888100586000\n R13: 00000000000000c9 R14: ffffc90001337b1f R15: ffff888110f23b58\n FS: 00007f7d75c72740(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fa811652c60 CR3: 0000000111398001 CR4: 0000000000370eb0\n Call Trace:\n \u003cTASK\u003e\n ? __die_body.cold+0x14/0x1a\n ? die+0x2e/0x50\n ? do_trap+0xca/0x110\n ? do_error_trap+0x65/0x80\n ? btrfs_set_item_key_safe+0xf7/0x270\n ? exc_invalid_op+0x50/0x70\n ? btrfs_set_item_key_safe+0xf7/0x270\n ? asm_exc_invalid_op+0x1a/0x20\n ? btrfs_set_item_key_safe+0xf7/0x270\n btrfs_partially_delete_raid_extent+0xc4/0xe0\n btrfs_delete_raid_extent+0x227/0x240\n __btrfs_free_extent.isra.0+0x57f/0x9c0\n ? exc_coproc_segment_overrun+0x40/0x40\n __btrfs_run_delayed_refs+0x2fa/0xe80\n btrfs_run_delayed_refs+0x81/0xe0\n btrfs_commit_transaction+0x2dd/0xbe0\n ? preempt_count_add+0x52/0xb0\n btrfs_sync_file+0x375/0x4c0\n do_fsync+0x39/0x70\n __x64_sys_fsync+0x13/0x20\n do_syscall_64+0x54/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f7d7550ef90\n Code: \u003csnip\u003e\n RSP: 002b:00007ffd70237248 EFLAGS: 00000202 ORIG_RAX: 000000000000004a\n RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f7d7550ef90\n RDX: 000000000000013a RSI: 000000000040eb28 RDI: 0000000000000004\n RBP: 000000000000001b R08: 0000000000000078 R09: 00007ffd7023725c\n R10: 00007f7d75400390 R11: 0000000000000202 R12: 028f5c28f5c28f5c\n R13: 8f5c28f5c28f5c29 R14: 000000000040b520 R15: 00007f7d75c726c8\n \u003c/TASK\u003e\n\nWhile the root cause of the tree order corruption isn\u0027t clear, using\nbtrfs_duplicate_item() to copy the item and then adjusting both the key\nand the per-device physical addresses is a safe way to counter this\nproblem.",
"id": "GHSA-r9cf-94mr-8v6q",
"modified": "2025-02-27T03:34:04Z",
"published": "2025-02-27T03:34:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21752"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1c25eff52ee5a02a2c4be659a44ae972d9989742"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dc14ba10781bd2629835696b7cc1febf914768e9"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.