[f2fs-dev] f2fs: fix uaf in destroy_device_list

Message ID	tencent_BEF36CE365896CC3B36456B765576766C105@qq.com (mailing list archive)
State	New
Headers	show Return-Path: <linux-f2fs-devel-bounces@lists.sourceforge.net> Message-ID: <tencent_BEF36CE365896CC3B36456B765576766C105@qq.com> To: syzbot+a5e651ca75fa0260acd5@syzkaller.appspotmail.com Date: Sat, 13 Jan 2024 19:28:31 +0800 In-Reply-To: <000000000000aac725060ed0b15c@google.com> References: <000000000000aac725060ed0b15c@google.com> MIME-Version: 1.0 Subject: [f2fs-dev] [PATCH] f2fs: fix uaf in destroy_device_list Precedence: list From: Edward Adam Davis via Linux-f2fs-devel <linux-f2fs-devel@lists.sourceforge.net> Reply-To: Edward Adam Davis <eadavis@qq.com> Cc: syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-fsdevel@vger.kernel.org, jaegeuk@kernel.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: linux-f2fs-devel-bounces@lists.sourceforge.net
Series	[f2fs-dev] f2fs: fix uaf in destroy_device_list \| expand [f2fs-dev] f2fs: fix uaf in destroy_device_list

Message ID

tencent_BEF36CE365896CC3B36456B765576766C105@qq.com (mailing list archive)

State

New

Headers

Message-ID: <tencent_BEF36CE365896CC3B36456B765576766C105@qq.com>
To: syzbot+a5e651ca75fa0260acd5@syzkaller.appspotmail.com
Date: Sat, 13 Jan 2024 19:28:31 +0800
In-Reply-To: <000000000000aac725060ed0b15c@google.com>
References: <000000000000aac725060ed0b15c@google.com>
MIME-Version: 1.0
Subject: [f2fs-dev] [PATCH] f2fs: fix uaf in destroy_device_list
Precedence: list
From: Edward Adam Davis via Linux-f2fs-devel
 <linux-f2fs-devel@lists.sourceforge.net>
Reply-To: Edward Adam Davis <eadavis@qq.com>
Cc: syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
 linux-f2fs-devel@lists.sourceforge.net, linux-fsdevel@vger.kernel.org,
 jaegeuk@kernel.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: linux-f2fs-devel-bounces@lists.sourceforge.net

Series

[f2fs-dev] f2fs: fix uaf in destroy_device_list | expand

Commit Message

Edward Adam Davis Jan. 13, 2024, 11:28 a.m. UTC

When the call to f2fs_fill_super() fails, only the memory occupied by sbi is 
released, but s_fs_info is not set to NULL, this will cause the current issue
to occur. 

Reported-and-tested-by: syzbot+a5e651ca75fa0260acd5@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/f2fs/super.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index d00d21a8b53a..9939e2445b1e 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -4879,6 +4879,7 @@  static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
 free_sbi:
 	if (sbi->s_chksum_driver)
 		crypto_free_shash(sbi->s_chksum_driver);
+	sb->s_fs_info = NULL;
 	kfree(sbi);
 
 	/* give only one another chance */

[f2fs-dev] f2fs: fix uaf in destroy_device_list

Commit Message

Patch