| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Sep 2022 16:36:44 +0200
From: Jan Kara <jack@...e.cz>
To: Ye Bin <yebin10@...wei.com>
Cc: tytso@....edu, adilger.kernel@...ger.ca,
linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org,
jack@...e.cz
Subject: Re: [PATCH -next 2/2] jbd2: fix potential use-after-free in
jbd2_fc_wait_bufs
On Wed 14-09-22 18:08:12, Ye Bin wrote:
> In 'jbd2_fc_wait_bufs' use 'bh' after put buffer head reference count
> which may lead to use-after-free.
> So judge buffer if uptodate before put buffer head reference count.
>
> Signed-off-by: Ye Bin <yebin10@...wei.com>
Looks good. Feel free to add:
Reviewed-by: Jan Kara <jack@...e.cz>
Honza
> ---
> fs/jbd2/journal.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
> index 1c833d8cb0fe..4d49f629d06b 100644
> --- a/fs/jbd2/journal.c
> +++ b/fs/jbd2/journal.c
> @@ -923,16 +923,16 @@ int jbd2_fc_wait_bufs(journal_t *journal, int num_blks)
> for (i = j_fc_off - 1; i >= j_fc_off - num_blks; i--) {
> bh = journal->j_fc_wbuf[i];
> wait_on_buffer(bh);
> - put_bh(bh);
> - journal->j_fc_wbuf[i] = NULL;
> /*
> * Update j_fc_off so jbd2_fc_release_bufs can release remain
> * buffer head.
> */
> if (unlikely(!buffer_uptodate(bh))) {
> - journal->j_fc_off = i;
> + journal->j_fc_off = i + 1;
> return -EIO;
> }
> + put_bh(bh);
> + journal->j_fc_wbuf[i] = NULL;
> }
>
> return 0;
> --
> 2.31.1
>
--
Jan Kara <jack@...e.com>
SUSE Labs, CR
Powered by blists - more mailing lists