216721 – bug: use-after-free in read_one_chunk

Bug 216721 - bug: use-after-free in read_one_chunk

Summary: bug: use-after-free in read_one_chunk

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	btrfs (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	BTRFS virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-11-21 14:19 UTC by eriri
Modified:	2023-01-20 14:38 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	6.0
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description eriri 2022-11-21 14:19:49 UTC

satic int read_one_chunk {
...
map = kmalloc(...);
em->map_lookup = map;
...
free_extent_map(em);
return PTR_ERR(map->stripes[i].dev);
...
}

map is assigned to em at
https://elixir.bootlin.com/linux/latest/source/fs/btrfs/volumes.c#L7094


map used at https://elixir.bootlin.com/linux/latest/source/fs/btrfs/volumes.c#L7132


but it is freed at
https://elixir.bootlin.com/linux/latest/source/fs/btrfs/volumes.c#L7131

https://elixir.bootlin.com/linux/latest/source/fs/btrfs/extent_map.c#L81


so it exists a UAF here.

Comment 1 David Sterba 2022-11-23 12:03:02 UTC

Thanks for the report. It's a conditional use-after-free because the structure is reference counted but in this case it's freshly allocated with ref 1 so it's also the last reference when free_extent_map is called. Somebody sent a fix for that so I'll add this bug for reference.

Comment 2 David Sterba 2023-01-20 14:38:58 UTC

Fixed by https://git.kernel.org/linus/1742e1c90c3da344f3bb9b1f1309b3f47482756a

Note You need to log in before you can comment on or make changes to this bug.