CVE-2023-53311

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput<br /> <br /> During unmount process of nilfs2, nothing holds nilfs_root structure after<br /> nilfs2 detaches its writer in nilfs_detach_log_writer(). Previously,<br /> nilfs_evict_inode() could cause use-after-free read for nilfs_root if<br /> inodes are left in "garbage_list" and released by nilfs_dispose_list at<br /> the end of nilfs_detach_log_writer(), and this bug was fixed by commit<br /> 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root in<br /> nilfs_evict_inode()").<br /> <br /> However, it turned out that there is another possibility of UAF in the<br /> call path where mark_inode_dirty_sync() is called from iput():<br /> <br /> nilfs_detach_log_writer()<br /> nilfs_dispose_list()<br /> iput()<br /> mark_inode_dirty_sync()<br /> __mark_inode_dirty()<br /> nilfs_dirty_inode()<br /> __nilfs_mark_inode_dirty()<br /> nilfs_load_inode_block() --&gt; causes UAF of nilfs_root struct<br /> <br /> This can happen after commit 0ae45f63d4ef ("vfs: add support for a<br /> lazytime mount option"), which changed iput() to call<br /> mark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME<br /> flag and i_nlink is non-zero.<br /> <br /> This issue appears after commit 28a65b49eb53 ("nilfs2: do not write dirty<br /> data after degenerating to read-only") when using the syzbot reproducer,<br /> but the issue has potentially existed before.<br /> <br /> Fix this issue by adding a "purging flag" to the nilfs structure, setting<br /> that flag while disposing the "garbage_list" and checking it in<br /> __nilfs_mark_inode_dirty().<br /> <br /> Unlike commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root<br /> in nilfs_evict_inode()"), this patch does not rely on ns_writer to<br /> determine whether to skip operations, so as not to break recovery on<br /> mount. The nilfs_salvage_orphan_logs routine dirties the buffer of<br /> salvaged data before attaching the log writer, so changing<br /> __nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL<br /> will cause recovery write to fail. The purpose of using the cleanup-only<br /> flag is to allow for narrowing of such conditions.