Description
In the Linux kernel, the following vulnerability has been resolved: jbd2: check 'jh->b_transaction' before removing it from checkpoint Following process will corrupt ext4 image: Step 1: jbd2_journal_commit_transaction __jbd2_journal_insert_checkpoint(jh, commit_transaction) // Put jh into trans1->t_checkpoint_list journal->j_checkpoint_transactions = commit_transaction // Put trans1 into journal->j_checkpoint_transactions Step 2: do_get_write_access test_clear_buffer_dirty(bh) // clear buffer dirty,set jbd dirty __jbd2_journal_file_buffer(jh, transaction) // jh belongs to trans2 Step 3: drop_cache journal_shrink_one_cp_list jbd2_journal_try_remove_checkpoint if (!trylock_buffer(bh)) // lock bh, true if (buffer_dirty(bh)) // buffer is not dirty __jbd2_journal_remove_checkpoint(jh) // remove jh from trans1->t_checkpoint_list Step 4: jbd2_log_do_checkpoint trans1 = journal->j_checkpoint_transactions // jh is not in trans1->t_checkpoint_list jbd2_cleanup_journal_tail(journal) // trans1 is done Step 5: Power cut, trans2 is not committed, jh is lost in next mounting. Fix it by checking 'jh->b_transaction' before remove it from checkpoint.
Product status
b832174b7f89df3ebab02f5b485d00127a0e1a6e before ef5fea70e5915afd64182d155e72bfb4f275e1fc
e5c768d809a85e9efd0274b2efe69d4970cc0014 before dbafe636db415299e54d9dfefc1003bda9e71c9d
46f881b5b1758dc4a35fba4a643c10717d0cf427 before 2298f2589903a8bc03061b54b31fd97985ab6529
46f881b5b1758dc4a35fba4a643c10717d0cf427 before 590a809ff743e7bd890ba5fb36bc38e20a36de53
019b59aeb2af6b47d5c8e69c5dc1d731c8df0354
6.5
Any version before 6.5
5.15.132
6.1.54
6.5.4
6.6
References
git.kernel.org/...c/ef5fea70e5915afd64182d155e72bfb4f275e1fc
git.kernel.org/...c/dbafe636db415299e54d9dfefc1003bda9e71c9d
git.kernel.org/...c/2298f2589903a8bc03061b54b31fd97985ab6529
git.kernel.org/...c/590a809ff743e7bd890ba5fb36bc38e20a36de53
