Bug 216721
| Summary: | bug: use-after-free in read_one_chunk | ||
|---|---|---|---|
| Product: | File System | Reporter: | eriri (1527030098) |
| Component: | btrfs | Assignee: | BTRFS virtual assignee (fs_btrfs) |
| Status: | RESOLVED CODE_FIX | ||
| Severity: | normal | CC: | dsterba |
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | 6.0 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
Thanks for the report. It's a conditional use-after-free because the structure is reference counted but in this case it's freshly allocated with ref 1 so it's also the last reference when free_extent_map is called. Somebody sent a fix for that so I'll add this bug for reference. |
satic int read_one_chunk { ... map = kmalloc(...); em->map_lookup = map; ... free_extent_map(em); return PTR_ERR(map->stripes[i].dev); ... } map is assigned to em at https://elixir.bootlin.com/linux/latest/source/fs/btrfs/volumes.c#L7094 map used at https://elixir.bootlin.com/linux/latest/source/fs/btrfs/volumes.c#L7132 but it is freed at https://elixir.bootlin.com/linux/latest/source/fs/btrfs/volumes.c#L7131 https://elixir.bootlin.com/linux/latest/source/fs/btrfs/extent_map.c#L81 so it exists a UAF here.