Overview
CVE-2025-40235 describes a vulnerability in the Btrfs filesystem implementation within the Linux kernel. This flaw can potentially lead to a NULL pointer dereference, resulting in a kernel panic and system crash. The vulnerability stems from improper error handling during the initialization of the Btrfs filesystem’s internal data structures. Specifically, if memory allocation fails during the initial setup, a cleanup routine attempts to access uninitialized memory, triggering the NULL pointer dereference.
Technical Details
The vulnerability resides in the btrfs_check_leaked_roots() function within the fs/btrfs/disk-io.c file. The issue occurs when either fs_info->super_copy or fs_info->super_for_commit fail to allocate memory within the btrfs_get_tree_subvol() function. In these error scenarios, the code would proceed to call btrfs_free_fs_info(). However, if the memory allocation failed, the fs_info->allocated_roots field remains uninitialized.
Subsequently, btrfs_check_leaked_roots() attempts to access this uninitialized fs_info->allocated_roots, leading to a NULL pointer dereference. The syzkaller report clearly illustrates this with a page fault occurring due to a supervisor read access on an invalid memory address.
Syzkaller Report Snippet:
------------[ cut here ]------------ BUG: unable to handle page fault for address: fffffffffffffbb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 [...] Call Trace:btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 vfs_get_tree+0x98/0x320 fs/super.c:1759 do_new_mount+0x357/0x660 fs/namespace.c:3899 path_mount+0x716/0x19c0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f032eaffa8d [...]
CVSS Analysis
As of the publication date, a CVSS score has not been assigned to this CVE. However, due to the potential for a kernel panic and denial-of-service, it’s likely to be classified as having a high severity. The vulnerability can be triggered locally by mounting a specially crafted Btrfs filesystem, making local exploitation feasible.
Possible Impact
The primary impact of CVE-2025-40235 is a kernel panic, leading to a denial-of-service (DoS) condition. A successful exploit could crash the affected system. This could be triggered locally with specific privileges by a user able to mount a crafted btrfs image, or remotely under circumstances where a service automatically mounts external media (less likely, but still a consideration).
Mitigation and Patch Steps
The vulnerability has been addressed in the Linux kernel. Users are advised to upgrade to a kernel version that incorporates the fix. The fix ensures that btrfs_free_fs_info() is only called when fs_info->allocated_roots has been properly initialized.
Specifically, the patch adds a check to avoid calling btrfs_free_fs_info() if either fs_info->super_copy or fs_info->super_for_commit allocations failed.
