CVE-2023-3111: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2023-3111) was discovered in the preparetorelocate function in fs/btrfs/relocation.c in the btrfs filesystem implementation of the Linux Kernel. The vulnerability was discovered by the TOTE Robot tool and reported on June 5, 2023. This flaw affects Linux kernel versions prior to 6.0-rc2 and can be triggered by calling btrfsioctlbalance() before calling btrfsioctldefrag() (NVD, Debian Security).

The vulnerability occurs due to incorrect error handling in preparetorelocate(). When btrfsrelocateblockgroup() allocates an rc structure and calls preparetorelocate(), the rc is assigned to fsinfo->relocctl. If btrfscommittransaction() fails during preparetorelocate(), the error is detected and rc is freed, but fsinfo->relocctl is not set to NULL. This leads to a use-after-free condition when btrfsinitrelocroot() later retrieves and uses the freed rc from fsinfo->relocctl (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NetApp Advisory).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). However, it's unclear whether an unprivileged user can exploit this vulnerability (Debian Security).

The vulnerability has been fixed in Linux kernel version 6.0-rc2 by adding proper error handling in preparetorelocate(). The fix includes calling unsetreloccontrol() to set fsinfo->relocctl to NULL when btrfscommittransaction() fails. Various Linux distributions have released patches for their supported kernel versions, including Debian 10 (buster) in version 4.19.289-1 and Debian 11 (bullseye) in version 5.10.191-1 (Debian Security).