{"uuid": "7e261abc-a1c8-44ed-8d41-a84b7ddbb88e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-21658", "type": "seen", "source": "https://t.me/cvedetector/15941", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2025-21658 - Linux Btrfs NULL Pointer Dereference Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2025-21658 \nPublished : Jan. 21, 2025, 1:15 p.m. | 42\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \nbtrfs: avoid NULL pointer dereference if no valid extent tree  \n  \n[BUG]  \nSyzbot reported a crash with the following call trace:  \n  \n  BTRFS info (device loop0): scrub: started on devid 1  \n  BUG: kernel NULL pointer dereference, address: 0000000000000208  \n  #PF: supervisor read access in kernel mode  \n  #PF: error_code(0x0000) - not-present page  \n  PGD 106e70067 P4D 106e70067 PUD 107143067 PMD 0  \n  Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI  \n  CPU: 1 UID: 0 PID: 689 Comm: repro Kdump: loaded Tainted: G           O       6.13.0-rc4-custom+ #206  \n  Tainted: [O]=OOT_MODULE  \n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022  \n  RIP: 0010:find_first_extent_item+0x26/0x1f0 [btrfs]  \n  Call Trace:  \n     \n   scrub_find_fill_first_stripe+0x13d/0x3b0 [btrfs]  \n   scrub_simple_mirror+0x175/0x260 [btrfs]  \n   scrub_stripe+0x5d4/0x6c0 [btrfs]  \n   scrub_chunk+0xbb/0x170 [btrfs]  \n   scrub_enumerate_chunks+0x2f4/0x5f0 [btrfs]  \n   btrfs_scrub_dev+0x240/0x600 [btrfs]  \n   btrfs_ioctl+0x1dc8/0x2fa0 [btrfs]  \n   ? do_sys_openat2+0xa5/0xf0  \n   __x64_sys_ioctl+0x97/0xc0  \n   do_syscall_64+0x4f/0x120  \n   entry_SYSCALL_64_after_hwframe+0x76/0x7e  \n     \n  \n[CAUSE]  \nThe reproducer is using a corrupted image where extent tree root is  \ncorrupted, thus forcing to use \"rescue=all,ro\" mount option to mount the  \nimage.  \n  \nThen it triggered a scrub, but since scrub relies on extent tree to find  \nwhere the data/metadata extents are, scrub_find_fill_first_stripe()  \nrelies on an non-empty extent root.  \n  \nBut unfortunately scrub_find_fill_first_stripe() doesn't really expect  \nan NULL pointer for extent root, it use extent_root to grab fs_info and  \ntriggered a NULL pointer dereference.  \n  \n[FIX]  \nAdd an extra check for a valid extent root at the beginning of  \nscrub_find_fill_first_stripe().  \n  \nThe new error path is introduced by 42437a6386ff (\"btrfs: introduce  \nmount option rescue=ignorebadroots\"), but that's pretty old, and later  \ncommit b979547513ff (\"btrfs: scrub: introduce helper to find and fill  \nsector info for a scrub_stripe\") changed how we do scrub.  \n  \nSo for kernels older than 6.6, the fix will need manual backport. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"21 Jan 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-01-21T15:17:22.000000Z"}