On Fri, Mar 21, 2025 at 3:38 PM Sungjong Seo <sj1557.seo@xxxxxxxxxxx> wrote:
>
> When get_block is called with a buffer_head allocated on the stack, such
> as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in
> the following race condition situation.
>
> <CPU 0> <CPU 1>
> mpage_read_folio
> <<bh on stack>>
> do_mpage_readpage
> exfat_get_block
> bh_read
> __bh_read
> get_bh(bh)
> submit_bh
> wait_on_buffer
> ...
> end_buffer_read_sync
> __end_buffer_read_notouch
> unlock_buffer
> <<keep going>>
> ...
> ...
> ...
> ...
> <<bh is not valid out of mpage_read_folio>>
> .
> .
> another_function
> <<variable A on stack>>
> put_bh(bh)
> atomic_dec(bh->b_count)
> * stack corruption here *
>
> This patch returns -EAGAIN if a folio does not have buffers when bh_read
> needs to be called. By doing this, the caller can fallback to functions
> like block_read_full_folio(), create a buffer_head in the folio, and then
> call get_block again.
>
> Let's do not call bh_read() with on-stack buffer_head.
>
> Fixes: 11a347fb6cef ("exfat: change to get file size from DataLength")
> Cc: stable@xxxxxxxxxxxxxxx
> Tested-by: Yeongjin Gil <youngjin.gil@xxxxxxxxxxx>
> Signed-off-by: Sungjong Seo <sj1557.seo@xxxxxxxxxxx>
Applied it to #dev.
Thanks!
