CVE-2021-47656

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jffs2: fix use-after-free in jffs2_clear_xattr_subsystem<br /> <br /> When we mount a jffs2 image, assume that the first few blocks of<br /> the image are normal and contain at least one xattr-related inode,<br /> but the next block is abnormal. As a result, an error is returned<br /> in jffs2_scan_eraseblock(). jffs2_clear_xattr_subsystem() is then<br /> called in jffs2_build_filesystem() and then again in<br /> jffs2_do_fill_super().<br /> <br /> Finally we can observe the following report:<br /> ==================================================================<br /> BUG: KASAN: use-after-free in jffs2_clear_xattr_subsystem+0x95/0x6ac<br /> Read of size 8 at addr ffff8881243384e0 by task mount/719<br /> <br /> Call Trace:<br /> dump_stack+0x115/0x16b<br /> jffs2_clear_xattr_subsystem+0x95/0x6ac<br /> jffs2_do_fill_super+0x84f/0xc30<br /> jffs2_fill_super+0x2ea/0x4c0<br /> mtd_get_sb+0x254/0x400<br /> mtd_get_sb_by_nr+0x4f/0xd0<br /> get_tree_mtd+0x498/0x840<br /> jffs2_get_tree+0x25/0x30<br /> vfs_get_tree+0x8d/0x2e0<br /> path_mount+0x50f/0x1e50<br /> do_mount+0x107/0x130<br /> __se_sys_mount+0x1c5/0x2f0<br /> __x64_sys_mount+0xc7/0x160<br /> do_syscall_64+0x45/0x70<br /> entry_SYSCALL_64_after_hwframe+0x44/0xa9<br /> <br /> Allocated by task 719:<br /> kasan_save_stack+0x23/0x60<br /> __kasan_kmalloc.constprop.0+0x10b/0x120<br /> kasan_slab_alloc+0x12/0x20<br /> kmem_cache_alloc+0x1c0/0x870<br /> jffs2_alloc_xattr_ref+0x2f/0xa0<br /> jffs2_scan_medium.cold+0x3713/0x4794<br /> jffs2_do_mount_fs.cold+0xa7/0x2253<br /> jffs2_do_fill_super+0x383/0xc30<br /> jffs2_fill_super+0x2ea/0x4c0<br /> [...]<br /> <br /> Freed by task 719:<br /> kmem_cache_free+0xcc/0x7b0<br /> jffs2_free_xattr_ref+0x78/0x98<br /> jffs2_clear_xattr_subsystem+0xa1/0x6ac<br /> jffs2_do_mount_fs.cold+0x5e6/0x2253<br /> jffs2_do_fill_super+0x383/0xc30<br /> jffs2_fill_super+0x2ea/0x4c0<br /> [...]<br /> <br /> The buggy address belongs to the object at ffff8881243384b8<br /> which belongs to the cache jffs2_xattr_ref of size 48<br /> The buggy address is located 40 bytes inside of<br /> 48-byte region [ffff8881243384b8, ffff8881243384e8)<br /> [...]<br /> ==================================================================<br /> <br /> The triggering of the BUG is shown in the following stack:<br /> -----------------------------------------------------------<br /> jffs2_fill_super<br /> jffs2_do_fill_super<br /> jffs2_do_mount_fs<br /> jffs2_build_filesystem<br /> jffs2_scan_medium<br /> jffs2_scan_eraseblock