CVE-2021-47656

In the Linux kernel, the following vulnerability has been resolved:

jffs2: fix use-after-free in jffs2clearxattr_subsystem

When we mount a jffs2 image, assume that the first few blocks of the image are normal and contain at least one xattr-related inode, but the next block is abnormal. As a result, an error is returned in jffs2scaneraseblock(). jffs2clearxattrsubsystem() is then called in jffs2buildfilesystem() and then again in jffs2dofillsuper().

Finally we can observe the following report: ================================================================== BUG: KASAN: use-after-free in jffs2clearxattr_subsystem+0x95/0x6ac Read of size 8 at addr ffff8881243384e0 by task mount/719

Call Trace: dumpstack+0x115/0x16b jffs2clearxattrsubsystem+0x95/0x6ac jffs2dofillsuper+0x84f/0xc30 jffs2fillsuper+0x2ea/0x4c0 mtdgetsb+0x254/0x400 mtdgetsbbynr+0x4f/0xd0 gettreemtd+0x498/0x840 jffs2gettree+0x25/0x30 vfsgettree+0x8d/0x2e0 pathmount+0x50f/0x1e50 domount+0x107/0x130 _sesysmount+0x1c5/0x2f0 _x64sysmount+0xc7/0x160 dosyscall64+0x45/0x70 entrySYSCALL64after_hwframe+0x44/0xa9

Allocated by task 719: kasansavestack+0x23/0x60 _kasankmalloc.constprop.0+0x10b/0x120 kasanslaballoc+0x12/0x20 kmemcachealloc+0x1c0/0x870 jffs2allocxattrref+0x2f/0xa0 jffs2scanmedium.cold+0x3713/0x4794 jffs2domountfs.cold+0xa7/0x2253 jffs2dofillsuper+0x383/0xc30 jffs2fill_super+0x2ea/0x4c0 [...]

Freed by task 719: kmemcachefree+0xcc/0x7b0 jffs2freexattrref+0x78/0x98 jffs2clearxattrsubsystem+0xa1/0x6ac jffs2domountfs.cold+0x5e6/0x2253 jffs2dofillsuper+0x383/0xc30 jffs2fillsuper+0x2ea/0x4c0 [...]

The buggy address belongs to the object at ffff8881243384b8 which belongs to the cache jffs2xattrref of size 48 The buggy address is located 40 bytes inside of 48-byte region [ffff8881243384b8, ffff8881243384e8) [...] ==================================================================

The triggering of the BUG is shown in the following stack:

jffs2fillsuper jffs2dofillsuper jffs2domountfs jffs2buildfilesystem jffs2scanmedium jffs2scaneraseblock <--- ERROR jffs2clearxattr_subsystem <--- free

jffs2clearxattr_subsystem <--- free again

An error is returned in jffs2domountfs(). If the error is returned by jffs2suminit(), the jffs2clearxattrsubsystem() does not need to be executed. If the error is returned by jffs2buildfilesystem(), the jffs2clearxattrsubsystem() also does not need to be executed again. So move jffs2clearxattrsubsystem() from 'outinohash' to 'outroot' to fix this UAF problem.