In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix removed dentries still existing after log is synced
When we move one inode from one directory to another and both the inode
and its previous parent directory were logged before, we are not supposed
to have the dentry for the old parent if we have a power failure after the
log is synced. Only the new dentry is supposed to exist.
Generally this works correctly, however there is a scenario where this is
not currently working, because the old parent of the file/directory that
was moved is not authoritative for a range that includes the dir index and
dir item keys of the old dentry. This case is better explained with the
following example and reproducer:
$ mkfs.btrfs -f -n 65536 /dev/sdc
$ mount /dev/sdc /mnt
$ mkdir /mnt/testdir
$ chmod 755 /mnt/testdir
$ for ((i = 1; i <= 1200; i++)); do
echo -n > /mnt/testdir/file$i
done
$ mkdir /mnt/testdir/dira
$ sync
$ chmod 700 /mnt/testdir
—truncated—
[
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/btrfs/tree-log.c"
],
"versions": [
{
"version": "64d6b281ba4d",
"lessThan": "6d0924c5b742",
"status": "affected",
"versionType": "git"
},
{
"version": "64d6b281ba4d",
"lessThan": "54a40fc3a1da",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/btrfs/tree-log.c"
],
"versions": [
{
"version": "5.12",
"status": "affected"
},
{
"version": "0",
"lessThan": "5.12",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.12.7",
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.13",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
]