In the Linux kernel, the following vulnerability has been resolved:
f2fs: compress: fix to avoid use-after-free on dic
Call trace:
__memcpy+0x128/0x250
f2fs_read_multi_pages+0x940/0xf7c
f2fs_mpage_readpages+0x5a8/0x624
f2fs_readahead+0x5c/0x110
page_cache_ra_unbounded+0x1b8/0x590
do_sync_mmap_readahead+0x1dc/0x2e4
filemap_fault+0x254/0xa8c
f2fs_filemap_fault+0x2c/0x104
__do_fault+0x7c/0x238
do_handle_mm_fault+0x11bc/0x2d14
do_mem_abort+0x3a8/0x1004
el0_da+0x3c/0xa0
el0t_64_sync_handler+0xc4/0xec
el0t_64_sync+0x1b4/0x1b8
In f2fs_read_multi_pages(), once f2fs_decompress_cluster() was called if
we hit cached page in compress_inode’s cache, dic may be released, it needs
break the loop rather than continuing it, in order to avoid accessing
invalid dic pointer.
Vendor | Product | Version | CPE |
---|---|---|---|
linux | linux_kernel | * | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
[
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/f2fs/data.c"
],
"versions": [
{
"version": "6ce19aff0b8c",
"lessThan": "8c4504cc0c64",
"status": "affected",
"versionType": "git"
},
{
"version": "6ce19aff0b8c",
"lessThan": "9375ea7f2690",
"status": "affected",
"versionType": "git"
},
{
"version": "6ce19aff0b8c",
"lessThan": "932ddb5c29e8",
"status": "affected",
"versionType": "git"
},
{
"version": "6ce19aff0b8c",
"lessThan": "9d065aa52b6e",
"status": "affected",
"versionType": "git"
},
{
"version": "6ce19aff0b8c",
"lessThan": "b0327c84e91a",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/f2fs/data.c"
],
"versions": [
{
"version": "5.14",
"status": "affected"
},
{
"version": "0",
"lessThan": "5.14",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.15.139",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.1.63",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.5.12",
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.6.2",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.7",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
]
git.kernel.org/stable/c/8c4504cc0c64862740a6acb301e0cfa59580dbc5
git.kernel.org/stable/c/932ddb5c29e884cc6fac20417ece72ba4a35c401
git.kernel.org/stable/c/9375ea7f269093d7c884857ae1f47633a91f429c
git.kernel.org/stable/c/9d065aa52b6ee1b06f9c4eca881c9b4425a12ba2
git.kernel.org/stable/c/b0327c84e91a0f4f0abced8cb83ec86a7083f086