https://bugzilla.kernel.org/show_bug.cgi?id=216871 Bug ID: 216871 Summary: use after free when journal read failed Product: File System Version: 2.5 Kernel Version: 6.0 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ReiserFS Assignee: reiserfs-devel@xxxxxxxxxxxxxxx Reporter: 1527030098@xxxxxx Regression: No When reading the journal header block failed, journal_read return 1. But the caller journal_init ignores the value and doesn't handle this case. It will cause a UAF bug at fs unmount. https://elixir.bootlin.com/linux/v6.0.1/source/fs/reiserfs/journal.c#L2399 -- You may reply to this email to add a comment. You are receiving this mail because: You are the assignee for the bug.
