| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <bug-199179-13602-10vb9QgV1P@https.bugzilla.kernel.org/>
Date: Thu, 29 Mar 2018 14:00:24 +0000
From: bugzilla-daemon@...zilla.kernel.org
To: linux-ext4@...nel.org
Subject: [Bug 199179] Invalid pointer dereference when mounting crafted ext4
image in ext4_process_freed_data
https://bugzilla.kernel.org/show_bug.cgi?id=199179
Jan Kara (jack@...e.cz) changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jack@...e.cz
--- Comment #4 from Jan Kara (jack@...e.cz) ---
Ted, I'm not quite getting it: ext4_iget() should fail getting the root inode
in case i_links_count is 0. It should return -ESTALE and mark the inode as bad.
So iput() will call ext4_evict_inode() but because the inode is marked as bad,
we skip any attempts to delete the inode and just call ext4_clear_inode(). But
apparently that didn't happen and ext4_iget() succeeded despite inode having
i_links_count == 0. So the question is why the check:
if (inode->i_nlink == 0) {
if ((inode->i_mode == 0 ||
!(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ORPHAN_FS))
&&
ino != EXT4_BOOT_LOADER_INO) {
/* this inode is deleted */
ret = -ESTALE;
goto bad_inode;
}
in ext4_iget() didn't trigger...
--
You are receiving this mail because:
You are watching the assignee of the bug.
Powered by blists - more mailing lists