216871 – bug: use after free when journal read failed

Bug 216871 - bug: use after free when journal read failed

Summary: bug: use after free when journal read failed

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	ReiserFS (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	ReiseFS developers team

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-12-31 12:13 UTC by eriri
Modified:	2023-01-01 03:15 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	6.0
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description eriri 2022-12-31 12:13:46 UTC

When reading the journal header block failed, journal_read return 1. But the caller journal_init ignores the value and doesn't handle this case. It will cause a UAF bug at fs unmount.

https://elixir.bootlin.com/linux/v6.0.1/source/fs/reiserfs/journal.c#L2399

Note You need to log in before you can comment on or make changes to this bug.

Format For Printing
- XML
- Clone This Bug
- Top of page