| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Dec 2021 10:16:24 -0500
From: "Theodore Ts'o" <tytso@....edu>
To: linux-ext4@...r.kernel.org, Zhang Yi <yi.zhang@...wei.com>
Cc: "Theodore Ts'o" <tytso@....edu>, jack@...e.cz,
adilger.kernel@...ger.ca, yukuai3@...wei.com
Subject: Re: [PATCH] ext4: fix an use-after-free issue about data=journal writeback mode
On Sat, 25 Dec 2021 17:09:37 +0800, Zhang Yi wrote:
> Our syzkaller report an use-after-free issue that accessing the freed
> buffer_head on the writeback page in __ext4_journalled_writepage(). The
> problem is that if there was a truncate racing with the data=journalled
> writeback procedure, the writeback length could become zero and
> bget_one() refuse to get buffer_head's refcount, then the truncate
> procedure release buffer once we drop page lock, finally, the last
> ext4_walk_page_buffers() trigger the use-after-free problem.
>
> [...]
Nice catch. Applied, thanks!
[1/1] ext4: fix an use-after-free issue about data=journal writeback mode
commit: 856dd2096e2a01f6eb2c9d60f6e0cd587aa273a8
Best regards,
--
Theodore Ts'o <tytso@....edu>
Powered by blists - more mailing lists