In the Linux kernel, the following vulnerability has been resolved:
ext4: fix use-after-free in ext4renamedir_prepare
We got issue as follows: EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue ext4getfirstdirblock: bh->bdata=0xffff88810bee6000 len=34478 ext4getfirstdirblock: *parentde=0xffff88810beee6ae bh->b_data=0xffff88810bee6000
BUG: KASAN: use-after-free in ext4renamedir_prepare+0x152/0x220 Read of size 4 at addr ffff88810beee6ae by task rep/1895
CPU: 13 PID: 1895 Comm: rep Not tainted 5.10.0+ #241 Call Trace: dumpstack+0xbe/0xf9 printaddressdescription.constprop.0+0x1e/0x220 kasanreport.cold+0x37/0x7f ext4renamedirprepare+0x152/0x220 ext4rename+0xf44/0x1ad0 ext4rename2+0x11c/0x170 vfsrename+0xa84/0x1440 dorenameat2+0x683/0x8f0 _x64sysrenameat+0x53/0x60 dosyscall64+0x33/0x40 entrySYSCALL64afterhwframe+0x44/0xa9 RIP: 0033:0x7f45a6fc41c9 RSP: 002b:00007ffc5a470218 EFLAGS: 00000246 ORIG_RAX: 0000000000000108 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f45a6fc41c9 RDX: 0000000000000005 RSI: 0000000020000180 RDI: 0000000000000005 RBP: 00007ffc5a470240 R08: 00007ffc5a470160 R09: 0000000020000080 R10: 00000000200001c0 R11: 0000000000000246 R12: 0000000000400bb0 R13: 00007ffc5a470320 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page: page:00000000440015ce refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x10beee flags: 0x200000000000000() raw: 0200000000000000 ffffea00043ff4c8 ffffea0004325608 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address: ffff88810beee580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88810beee600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88810beee680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88810beee700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88810beee780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Disabling lock debugging due to kernel taint ext4renamedirprepare: [2] parentde->inode=3537895424 ext4renamedirprepare: [3] dir=0xffff888124170140 ext4renamedirprepare: [4] ino=2 ext4renamedirprepare: ent->dir->iino=2 parent=-757071872
Reason is first directory entry which 'reclen' is 34478, then will get illegal parent entry. Now, we do not check directory entry after read directory block in 'ext4getfirstdirblock'. To solve this issue, check directory entry in 'ext4getfirstdir_block'.
[ Trigger an ext4_error() instead of just warning if the directory is missing a '.' or '..' entry. Also make sure we return an error code if the file system is corrupted. -TYT ]