On Thu, 22 Sep 2022 20:04:34 +0800, Baokun Li wrote:
> If the starting position of our insert range happens to be in the hole
> between the two ext4_extent_idx, because the lblk of the ext4_extent in
> the previous ext4_extent_idx is always less than the start, which leads
> to the "extent" variable access across the boundary, the following UAF is
> triggered:
> ==================================================================
> BUG: KASAN: use-after-free in ext4_ext_shift_extents+0x257/0x790
> Read of size 4 at addr ffff88819807a008 by task fallocate/8010
> CPU: 3 PID: 8010 Comm: fallocate Tainted: G E 5.10.0+ #492
> Call Trace:
> dump_stack+0x7d/0xa3
> print_address_description.constprop.0+0x1e/0x220
> kasan_report.cold+0x67/0x7f
> ext4_ext_shift_extents+0x257/0x790
> ext4_insert_range+0x5b6/0x700
> ext4_fallocate+0x39e/0x3d0
> vfs_fallocate+0x26f/0x470
> ksys_fallocate+0x3a/0x70
> __x64_sys_fallocate+0x4f/0x60
> do_syscall_64+0x33/0x40
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
> ==================================================================
>
> [...]
Applied, thanks!
[1/1] ext4: fix use-after-free in ext4_ext_shift_extents
(no commit info)
Best regards,
--
Theodore Ts'o <tytso@xxxxxxx>
