From: Baokun Li <libaokun1@huawei.com>
To: Theodore Ts'o <tytso@mit.edu>, <linux-ext4@vger.kernel.org>
Cc: <lczerner@redhat.com>, <chengzhihao1@huawei.com>,
<enwlinux@gmail.com>, <linux-kernel@vger.kernel.org>,
<ritesh.list@gmail.com>, <stable@vger.kernel.org>,
<adilger.kernel@dilger.ca>, <yebin10@huawei.com>, <jack@suse.cz>,
<yi.zhang@huawei.com>, <yukuai3@huawei.com>
Subject: Re: [PATCH v2] ext4: fix use-after-free in ext4_ext_shift_extents
Date: Mon, 7 Nov 2022 10:01:34 +0800 [thread overview]
Message-ID: <230c5303-2aed-7c36-3147-2c05361067ef@huawei.com> (raw)
In-Reply-To: <166450797717.256913.12979997291945870141.b4-ty@mit.edu>
On 2022/9/30 11:19, Theodore Ts'o wrote:
> On Thu, 22 Sep 2022 20:04:34 +0800, Baokun Li wrote:
>> If the starting position of our insert range happens to be in the hole
>> between the two ext4_extent_idx, because the lblk of the ext4_extent in
>> the previous ext4_extent_idx is always less than the start, which leads
>> to the "extent" variable access across the boundary, the following UAF is
>> triggered:
>> ==================================================================
>> BUG: KASAN: use-after-free in ext4_ext_shift_extents+0x257/0x790
>> Read of size 4 at addr ffff88819807a008 by task fallocate/8010
>> CPU: 3 PID: 8010 Comm: fallocate Tainted: G E 5.10.0+ #492
>> Call Trace:
>> dump_stack+0x7d/0xa3
>> print_address_description.constprop.0+0x1e/0x220
>> kasan_report.cold+0x67/0x7f
>> ext4_ext_shift_extents+0x257/0x790
>> ext4_insert_range+0x5b6/0x700
>> ext4_fallocate+0x39e/0x3d0
>> vfs_fallocate+0x26f/0x470
>> ksys_fallocate+0x3a/0x70
>> __x64_sys_fallocate+0x4f/0x60
>> do_syscall_64+0x33/0x40
>> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>> ==================================================================
>>
>> [...]
> Applied, thanks!
>
> [1/1] ext4: fix use-after-free in ext4_ext_shift_extents
> (no commit info)
>
> Best regards,
Hi Theodore,
Could you tell me why this patch has been applied, but there is no cmmit
info,
and the patch cannot be found on any branch?
--
With Best Regards,
Baokun Li
prev parent reply other threads:[~2022-11-07 2:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-22 12:04 [PATCH v2] ext4: fix use-after-free in ext4_ext_shift_extents Baokun Li
2022-09-23 11:14 ` Jan Kara
2022-09-30 3:19 ` Theodore Ts'o
2022-11-07 2:01 ` Baokun Li [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=230c5303-2aed-7c36-3147-2c05361067ef@huawei.com \
--to=libaokun1@huawei.com \
--cc=adilger.kernel@dilger.ca \
--cc=chengzhihao1@huawei.com \
--cc=enwlinux@gmail.com \
--cc=jack@suse.cz \
--cc=lczerner@redhat.com \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ritesh.list@gmail.com \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
--cc=yebin10@huawei.com \
--cc=yi.zhang@huawei.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox