| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 13 Jan 2024 19:28:31 +0800 From: Edward Adam Davis <eadavis@...com> To: syzbot+a5e651ca75fa0260acd5@...kaller.appspotmail.com Cc: chao@...nel.org, jaegeuk@...nel.org, linux-f2fs-devel@...ts.sourceforge.net, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com Subject: [PATCH] f2fs: fix uaf in destroy_device_list When the call to f2fs_fill_super() fails, only the memory occupied by sbi is released, but s_fs_info is not set to NULL, this will cause the current issue to occur. Reported-and-tested-by: syzbot+a5e651ca75fa0260acd5@...kaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@...com> --- fs/f2fs/super.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index d00d21a8b53a..9939e2445b1e 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -4879,6 +4879,7 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) free_sbi: if (sbi->s_chksum_driver) crypto_free_shash(sbi->s_chksum_driver); + sb->s_fs_info = NULL; kfree(sbi); /* give only one another chance */ -- 2.43.0
Powered by blists - more mailing lists