| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220208161429.6oviyrpovqpcwpz5@quack3.lan>
Date: Tue, 8 Feb 2022 17:14:29 +0100
From: Jan Kara <jack@...e.cz>
To: syzbot <syzbot+afa2ca5171d93e44b348@...kaller.appspotmail.com>
Cc: jack@...e.com, linux-ext4@...r.kernel.org,
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
tytso@....edu, Ritesh Harjani <riteshh@...ux.ibm.com>
Subject: Re: [syzbot] KASAN: use-after-free Read in jbd2_journal_wait_updates
On Tue 08-02-22 04:49:19, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 555f3d7be91a Merge tag '5.17-rc3-ksmbd-server-fixes' of gi..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17e55852700000
> kernel config: https://syzkaller.appspot.com/x/.config?x=88e0a6a3dbf057cf
> dashboard link: https://syzkaller.appspot.com/bug?extid=afa2ca5171d93e44b348
> compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13b03872700000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+afa2ca5171d93e44b348@...kaller.appspotmail.com
So the syzbot reproducer looks bogus to me but the bug is real.
jbd2_journal_wait_updates() looks at commit_transaction after dropping
j_state_lock and sleeping which is certainly prone to use-after-free
issues.
Funnily, Ritesh's removal of t_handle_lock should "fix" the problem by
removing this dereference. So Ritesh, please just add some reference to
syzbot report and maybe a backport to stable would be warranted.
Honza
--
Jan Kara <jack@...e.com>
SUSE Labs, CR
Powered by blists - more mailing lists