CVE-2026-43046

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: reject root items with drop_progress and zero drop_level<br /> <br /> [BUG]<br /> When recovering relocation at mount time, merge_reloc_root() and<br /> btrfs_drop_snapshot() both use BUG_ON(level == 0) to guard against<br /> an impossible state: a non-zero drop_progress combined with a zero<br /> drop_level in a root_item, which can be triggered:<br /> <br /> ------------[ cut here ]------------<br /> kernel BUG at fs/btrfs/relocation.c:1545!<br /> Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI<br /> CPU: 1 UID: 0 PID: 283 ... Tainted: 6.18.0+ #16 PREEMPT(voluntary)<br /> Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br /> Hardware name: QEMU Ubuntu 24.04 PC v2, BIOS 1.16.3-debian-1.16.3-2<br /> RIP: 0010:merge_reloc_root+0x1266/0x1650 fs/btrfs/relocation.c:1545<br /> Code: ffff0000 00004589 d7e9acfa ffffe8a1 79bafebe 02000000<br /> Call Trace:<br /> merge_reloc_roots+0x295/0x890 fs/btrfs/relocation.c:1861<br /> btrfs_recover_relocation+0xd6e/0x11d0 fs/btrfs/relocation.c:4195<br /> btrfs_start_pre_rw_mount+0xa4d/0x1810 fs/btrfs/disk-io.c:3130<br /> open_ctree+0x5824/0x5fe0 fs/btrfs/disk-io.c:3640<br /> btrfs_fill_super fs/btrfs/super.c:987 [inline]<br /> btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]<br /> btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]<br /> btrfs_get_tree+0x111c/0x2190 fs/btrfs/super.c:2128<br /> vfs_get_tree+0x9a/0x370 fs/super.c:1758<br /> fc_mount fs/namespace.c:1199 [inline]<br /> do_new_mount_fc fs/namespace.c:3642 [inline]<br /> do_new_mount fs/namespace.c:3718 [inline]<br /> path_mount+0x5b8/0x1ea0 fs/namespace.c:4028<br /> do_mount fs/namespace.c:4041 [inline]<br /> __do_sys_mount fs/namespace.c:4229 [inline]<br /> __se_sys_mount fs/namespace.c:4206 [inline]<br /> __x64_sys_mount+0x282/0x320 fs/namespace.c:4206<br /> ...<br /> RIP: 0033:0x7f969c9a8fde<br /> Code: 0f1f4000 48c7c2b0 fffffff7 d8648902 b8ffffff ffc3660f<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> The bug is reproducible on 7.0.0-rc2-next-20260310 with our dynamic<br /> metadata fuzzing tool that corrupts btrfs metadata at runtime.<br /> <br /> [CAUSE]<br /> A non-zero drop_progress.objectid means an interrupted<br /> btrfs_drop_snapshot() left a resume point on disk, and in that case<br /> drop_level must be greater than 0 because the checkpoint is only<br /> saved at internal node levels.<br /> <br /> Although this invariant is enforced when the kernel writes the root<br /> item, it is not validated when the root item is read back from disk.<br /> That allows on-disk corruption to provide an invalid state with<br /> drop_progress.objectid != 0 and drop_level == 0.<br /> <br /> When relocation recovery later processes such a root item,<br /> merge_reloc_root() reads drop_level and hits BUG_ON(level == 0). The<br /> same invalid metadata can also trigger the corresponding BUG_ON() in<br /> btrfs_drop_snapshot().<br /> <br /> [FIX]<br /> Fix this by validating the root_item invariant in tree-checker when<br /> reading root items from disk: if drop_progress.objectid is non-zero,<br /> drop_level must also be non-zero. Reject such malformed metadata with<br /> -EUCLEAN before it reaches merge_reloc_root() or btrfs_drop_snapshot()<br /> and triggers the BUG_ON.<br /> <br /> After the fix, the same corruption is correctly rejected by tree-checker<br /> and the BUG_ON is no longer triggered.