Linux kernel: fs/btrfs: null-ptr-dereference bug in btrfs_rm_device in fs/btrfs/volumes.c

[butt3rflyh4ck <butterflyhuangxx () gmail com>]

Hello, there is a null pointer dereference bug in the btrfs_rm_device
function in fs/btrfs/volumes.c in linux-5.14.0-rc4+ and reproduce too.
Fortunately, triggering the bug requires ‘CAP_SYS_ADMIN’.

#Root Cause
When a user invokes a BTRFS_IOC_RM_DEV_V2 ioctl to remove a non-exist
volume device,
it would call btrfs_ioctl_rm_dev_v2 function to implement. And
btrfs_ioctl_rm_dev_v2 would call btrfs_rm_device,
if the id of the volume device is illegal, it would trigger a
null-ptr-deref bug to cause DoS.

# Analyse
https://lore.kernel.org/linux-btrfs/CAFcO6XO5TC5sEo-C9JGC75JkNAzkOSSLA3a=bwQqXFFbRTZ7Gw () mail gmail 
com/T/#md4b850f33616b7364f86e6fed144abc925f3669c

#Fix
the patch for this issue, not available upstream now.
https://lore.kernel.org/linux-btrfs/20210806102415.304717-1-wqu () suse com/T/#u


#Timeline
*2021/8/6 - Vulnerability reported to maintainer and CC to
linux-btrfs () vger kernel org.
*2021/8/6 - Vulnerability confirmed and patched.
*2021/8/10 - Vulnerability reported to secalert () redhat com.
*2021/8/25 - Opened on oss-security () lists openwall com.

#Credit
the issue is reported by Active Defense Lab of Venustech.

Regards,
 butt3rflyh4ck.
-- 
Active Defense Lab of Venustech