In the Linux kernel, the following vulnerability has been resolved:
exfat: fix random stack corruption after get_block
When getblock is called with a bufferhead allocated on the stack, such as dompagereadpage, stack corruption due to buffer_head UAF may occur in the following race condition situation.
<CPU 0> <CPU 1>
mpagereadfolio <<bh on stack>> dompagereadpage exfatgetblock bhread _bhread getbh(bh) submitbh waitonbuffer ... endbufferreadsync _endbufferreadnotouch unlockbuffer <<keep going>> ... ... ... ... <<bh is not valid out of mpagereadfolio>> . . anotherfunction <<variable A on stack>> putbh(bh) atomicdec(bh->b_count) * stack corruption here *
This patch returns -EAGAIN if a folio does not have buffers when bhread needs to be called. By doing this, the caller can fallback to functions like blockreadfullfolio(), create a bufferhead in the folio, and then call getblock again.
Let's do not call bhread() with on-stack bufferhead.