[lvc-project] [PATCH] ext2: fix use-after-free in read_block_bitmap()
Fedor Pchelkin
pchelkin at ispras.ru
Tue May 12 14:52:06 MSK 2026
On Tue, 12. May 14:47, Denis Zubov wrote:
> A crafted ext2 image can trigger two crashes via mkdir on a freshly
> mounted filesystem:
>
> WARN in ext2_get_group_desc() reached from ext2_free_blocks() via
> the truncate path on inode eviction. block_group is computed from
> a corrupt on-disk block pointer and exceeds sbi->s_groups_count.
> With panic_on_warn set this panics the kernel.
>
> KASAN use-after-free in ext2_try_to_allocate() when writing a bit
> via ext2_set_bit_atomic(). read_block_bitmap() trusted
> desc->bg_block_bitmap and called sb_getblk() on a block outside
> the filesystem. The returned bh had b_data on a bdev-cache page
> that was later reclaimed back to the buddy allocator.
>
> bh_read() can return success while leaving the buffer not uptodate
> on some failure paths, after which b_data is unreliable.
Это 3 отдельные проблемы. Имеет смысл разделить их на серию из 3 патчей?
More information about the lvc-project
mailing list