| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240820065511.996453-2-lizhi.xu@windriver.com>
Date: Tue, 20 Aug 2024 14:55:11 +0800
From: Lizhi Xu <lizhi.xu@...driver.com>
To: <heming.zhao@...e.com>
CC: <jlbec@...lplan.org>, <joseph.qi@...ux.alibaba.com>,
<linux-kernel@...r.kernel.org>, <lizhi.xu@...driver.com>,
<mark@...heh.com>, <ocfs2-devel@...ts.linux.dev>,
<syzbot+ab134185af9ef88dfed5@...kaller.appspotmail.com>,
<syzkaller-bugs@...glegroups.com>
Subject: [PATCH V2 2/2] ocfs2: Fix uaf in ocfs2_read_blocks
In the for-loop after the 'read_failure' label, the condition
'(bh == NULL) && flags includes OCFS2_BH_READAHEAD' is missing.
When this contidion is true, this for-loop will call ocfs2_set_buffer
_uptodate(ci, bh), which then triggers a NULL pointer access error.
Reported-and-suggested-by: Heming Zhao <heming.zhao@...e.com>
Signed-off-by: Lizhi Xu <lizhi.xu@...driver.com>
---
fs/ocfs2/buffer_head_io.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c
index e62c7e1de4eb..b4a76f45253d 100644
--- a/fs/ocfs2/buffer_head_io.c
+++ b/fs/ocfs2/buffer_head_io.c
@@ -384,6 +384,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
goto read_failure;
}
}
+ if (!bh)
+ continue;
/* Always set the buffer in the cache, even if it was
* a forced read, or read-ahead which hasn't yet
--
2.43.0
Powered by blists - more mailing lists