| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f66ff338-f3ec-e7a3-5698-250b97511982@linaro.org>
Date: Mon, 2 Jan 2023 07:41:18 +0200
From: Tudor Ambarus <tudor.ambarus@...aro.org>
To: Eric Biggers <ebiggers@...nel.org>
Cc: tytso@....edu, adilger.kernel@...ger.ca,
linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org,
joneslee@...gle.com,
syzbot+0827b4b52b5ebf65f219@...kaller.appspotmail.com,
stable@...r.kernel.org
Subject: Re: [PATCH v2] ext4: Fix possible use-after-free in ext4_find_extent
On 30.12.2022 22:07, Eric Biggers wrote:
> On Fri, Dec 30, 2022 at 01:42:45PM +0200, Tudor Ambarus wrote:
>>
>> Seems that __ext4_iget() is not called on writes.
>
> It is called when the inode is first accessed. Usually that's when the file is
> opened.
Okay, thanks.
>
> So the question is why didn't it validate the inode's extent header, or
> alternatively how did the inode's extent header get corrupted afterwards.
>
>> You can find below the sequence of calls that leads to the bug.
>
> A stack trace is not a reproducer. Things must have happened before that point.
>
I will try to dig more to understand what's happening. If you like to
take a look into the reproducer, here it is:
https://syzkaller.appspot.com/text?tag=ReproC&x=17beb560480000
The reproducer was used for Android 5.15 and the bug is reported at [1],
but as I mentioned earlier, using the same reproducer and config I hit
the bug on v6.2-rc1 as well.
Thanks for the help.
ta
[1]
https://syzkaller.appspot.com/bug?id=be6e90ce70987950e6deb3bac8418344ca8b96cd
Powered by blists - more mailing lists