| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220914100812.1414768-3-yebin10@huawei.com>
Date: Wed, 14 Sep 2022 18:08:12 +0800
From: Ye Bin <yebin10@...wei.com>
To: <tytso@....edu>, <adilger.kernel@...ger.ca>,
<linux-ext4@...r.kernel.org>
CC: <linux-kernel@...r.kernel.org>, <jack@...e.cz>,
Ye Bin <yebin10@...wei.com>
Subject: [PATCH -next 2/2] jbd2: fix potential use-after-free in jbd2_fc_wait_bufs
In 'jbd2_fc_wait_bufs' use 'bh' after put buffer head reference count
which may lead to use-after-free.
So judge buffer if uptodate before put buffer head reference count.
Signed-off-by: Ye Bin <yebin10@...wei.com>
---
fs/jbd2/journal.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
index 1c833d8cb0fe..4d49f629d06b 100644
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -923,16 +923,16 @@ int jbd2_fc_wait_bufs(journal_t *journal, int num_blks)
for (i = j_fc_off - 1; i >= j_fc_off - num_blks; i--) {
bh = journal->j_fc_wbuf[i];
wait_on_buffer(bh);
- put_bh(bh);
- journal->j_fc_wbuf[i] = NULL;
/*
* Update j_fc_off so jbd2_fc_release_bufs can release remain
* buffer head.
*/
if (unlikely(!buffer_uptodate(bh))) {
- journal->j_fc_off = i;
+ journal->j_fc_off = i + 1;
return -EIO;
}
+ put_bh(bh);
+ journal->j_fc_wbuf[i] = NULL;
}
return 0;
--
2.31.1
Powered by blists - more mailing lists