[prev in list] [next in list] [prev in thread] [next in thread] 

List:       reiserfs-devel
Subject:    [Bug 216871] New: use after free when journal read failed
From:       bugzilla-daemon () kernel ! org
Date:       2022-12-31 12:13:46
Message-ID: bug-216871-695 () https ! bugzilla ! kernel ! org/
[Download RAW message or body]

https://bugzilla.kernel.org/show_bug.cgi?id=216871

            Bug ID: 216871
           Summary: use after free when journal read failed
           Product: File System
           Version: 2.5
    Kernel Version: 6.0
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ReiserFS
          Assignee: reiserfs-devel@vger.kernel.org
          Reporter: 1527030098@qq.com
        Regression: No

When reading the journal header block failed, journal_read return 1. But the
caller journal_init ignores the value and doesn't handle this case. It will
cause a UAF bug at fs unmount.

https://elixir.bootlin.com/linux/v6.0.1/source/fs/reiserfs/journal.c#L2399

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.=
[prev in list] [next in list] [prev in thread] [next in thread]