lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <f66ff338-f3ec-e7a3-5698-250b97511982@linaro.org> Date: Mon, 2 Jan 2023 07:41:18 +0200 From: Tudor Ambarus <tudor.ambarus@...aro.org> To: Eric Biggers <ebiggers@...nel.org> Cc: tytso@....edu, adilger.kernel@...ger.ca, linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org, joneslee@...gle.com, syzbot+0827b4b52b5ebf65f219@...kaller.appspotmail.com, stable@...r.kernel.org Subject: Re: [PATCH v2] ext4: Fix possible use-after-free in ext4_find_extent On 30.12.2022 22:07, Eric Biggers wrote: > On Fri, Dec 30, 2022 at 01:42:45PM +0200, Tudor Ambarus wrote: >> >> Seems that __ext4_iget() is not called on writes. > > It is called when the inode is first accessed. Usually that's when the file is > opened. Okay, thanks. > > So the question is why didn't it validate the inode's extent header, or > alternatively how did the inode's extent header get corrupted afterwards. > >> You can find below the sequence of calls that leads to the bug. > > A stack trace is not a reproducer. Things must have happened before that point. > I will try to dig more to understand what's happening. If you like to take a look into the reproducer, here it is: https://syzkaller.appspot.com/text?tag=ReproC&x=17beb560480000 The reproducer was used for Android 5.15 and the bug is reported at [1], but as I mentioned earlier, using the same reproducer and config I hit the bug on v6.2-rc1 as well. Thanks for the help. ta [1] https://syzkaller.appspot.com/bug?id=be6e90ce70987950e6deb3bac8418344ca8b96cd
Powered by blists - more mailing lists