CVE-2026-63811
Fecha de publicación:
19/07/2026
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
f2fs: read COW data with the original inode during atomic write<br />
<br />
When updating an atomic-write file, f2fs_write_begin() may read the<br />
previously written data back from the COW inode:<br />
prepare_atomic_write_begin() locates the block in the COW inode and sets<br />
use_cow, and the read bio is then built with the COW inode:<br />
<br />
f2fs_submit_page_read(use_cow ? F2FS_I(inode)->cow_inode : inode,<br />
...);<br />
<br />
and f2fs_grab_read_bio() decides whether to schedule fs-layer decryption<br />
(STEP_DECRYPT) for the bio based on that inode via<br />
fscrypt_inode_uses_fs_layer_crypto().<br />
<br />
However, the folio being filled belongs to the original inode<br />
(folio->mapping->host == inode), and the data stored in the COW block was<br />
encrypted (or left as plaintext) using the original inode&#39;s context, not<br />
the COW inode&#39;s -- see f2fs_encrypt_one_page(), which keys off<br />
fio->page->mapping->host. fscrypt_decrypt_pagecache_blocks() likewise<br />
operates on folio->mapping->host.<br />
<br />
The COW inode is created as a tmpfile in the parent directory and inherits<br />
its encryption policy from there. With test_dummy_encryption the newly<br />
created COW inode gets the dummy policy and becomes encrypted, while a<br />
pre-existing regular file -- created before the policy applied, e.g.<br />
already present in the on-disk image -- stays unencrypted. The read<br />
path then sets STEP_DECRYPT based on the encrypted COW inode and calls<br />
fscrypt_decrypt_pagecache_blocks() on a folio whose host (the unencrypted<br />
original inode) has a NULL ->i_crypt_info, dereferencing it:<br />
<br />
Oops: general protection fault, probably for non-canonical address ...<br />
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]<br />
RIP: 0010:fscrypt_decrypt_pagecache_blocks+0xa0/0x310<br />
Workqueue: f2fs_post_read_wq f2fs_post_read_work<br />
Call Trace:<br />
fscrypt_decrypt_bio+0x1eb/0x340<br />
f2fs_post_read_work+0xba/0x140<br />
process_one_work+0x91c/0x1a40<br />
worker_thread+0x677/0xe90<br />
kthread+0x2bc/0x3a0<br />
<br />
The COW inode is only needed to locate the on-disk block, and that block<br />
address is already resolved into @blkaddr by prepare_atomic_write_begin()<br />
via __find_data_block(cow_inode, ...); f2fs_submit_page_read() then reads<br />
from that physical @blkaddr directly, so the inode argument only selects<br />
the post-read crypto context, not which block is fetched. Reading with<br />
@inode therefore returns the same (latest, not-yet-committed) COW data,<br />
while making both the fs-layer decryption decision and the inline crypto<br />
path use the correct (original inode&#39;s) key.<br />
<br />
With the COW inode no longer used at the read site, the use_cow flag has no<br />
remaining consumer; drop it from f2fs_write_begin() and<br />
prepare_atomic_write_begin().
Gravedad: Pendiente de análisis
Última modificación:
19/07/2026