摘要:
In the Linux kernel, the following vulnerability has been resolved:
exfat: fix random stack corruption after get_block
When get_block is called with a buffer_head allocated on the stack, such
as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in
the following race condition situation.
<CPU 0> <CPU 1>
mpage_read_folio
<<bh on stack>>
do_mpage_readpage
exfat_get_block
bh_read
__bh_read
get_bh(bh)
submit_bh
wait_on_buffer
...
end_buffer_read_sync
__end_buffer_read_notouch
unlock_buffer
<<keep going>>
...
...
...
...
<<bh is not valid out of mpage_read_folio>>
.
.
another_function
<<variable A on stack>>
put_bh(bh)
atomic_dec(bh->b_count)
* stack corruption here *
This patch returns -EAGAIN if a folio does not have buffers when bh_read
needs to be called. By doing this, the caller can fallback to functions
like block_read_full_folio(), create a buffer_head in the folio, and then
call get_block again.
Let's do not call bh_read() with on-stack buffer_head.
安全等级: Low
公告ID: KylinSec-SA-2025-2390
发布日期: 2025年4月28日
关联CVE: CVE-2025-22036
Linux内核修复了以下漏洞:
exfat:修复get_block调用后可能导致的随机栈损坏问题
当get_block被调用时,若传入的buffer_head结构体分配在栈上(例如do_mpage_readpage场景),在以下竞态条件下可能因buffer_head释放后使用(UAF)导致栈内存损坏:
<CPU 0> <CPU 1>
mpage_read_folio
<<栈上分配的bh>>
do_mpage_readpage
exfat_get_block
bh_read
__bh_read
get_bh(bh)
submit_bh
wait_on_buffer
...
end_buffer_read_sync
__end_buffer_read_notouch
unlock_buffer
<<继续执行>>
...
...
...
<<bh在mpage_read_folio外失效>>
.
.
another_function
<<栈变量A>>
put_bh(bh)
atomic_dec(bh->b_count)
此处发生栈损坏 *
该补丁在bh_read需要被调用时,若folio没有关联的buffers则返回-EAGAIN。通过这种方式,调用方可回退到block_read_full_folio()等函数,在folio中创建buffer_head后再次调用get_block。
关键修复点:禁止对栈分配的buffer_head调用bh_read()。
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2025-22036 | KY3.4-5A | kernel | Unaffected |
| CVE-2025-22036 | V6 | kernel | Unaffected |
