[SRU][F/J][PATCH 0/1] CVE-2023-52760
Yuxuan Luo
yuxuan.luo at canonical.com
Fri Jul 12 01:18:53 UTC 2024
[Impact]
A potential use-after-free may occur in gfs2 file system when unmounting
the fs, which put the system's control integrity at risk.
[Backport]
The fix commit, bdcb8aa434c6 ("gfs2: Fix slab-use-after-free in
gfs2_qd_dealloc"), addresses two problems:
1) UAF caused by gfs2_quota_cleanup() not called if not already
withdrawn "[otherwise], struct gfs2_sbd will be freed before
gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects".
2) Double-free by calling gfs2_quota_cleanup() twice if in not read-only
mode.
The second issue is introduced by f66af88e3321 ("gfs2: Stop using
gfs2_make_fs_ro for withdraw") while the first one predate in the very
old kernels. To solve the first one, only call the gfs2_quota_cleanup()
if the gfs2_make_fs_ro() is not called since gfs2_make_fs_ro() calls
gfs2_quota_cleanup() as well.
[Test]
Compile and boot tested only.
[Where things could go wrong]
Regression might occur when unmounting the fs.
Juntong Deng (1):
gfs2: Fix slab-use-after-free in gfs2_qd_dealloc
fs/gfs2/super.c | 2 ++
1 file changed, 2 insertions(+)
--
2.34.1
More information about the kernel-team
mailing list