Re: [BUG] ufs: crafted writable mount can overflow cylinder summary buffer

Next message: Mike Lothian: "[RFC PATCH 5/9] rust: usb: add usb::Device::clear_halt()"
Previous message: Jun Yan: "[PATCH v4 09/10] dt-bindings: input: microchip,cap11xx: Add CAP1114 support"
In reply to: &#xC774;&#xC0C1;&#xD638;: "[BUG] ufs: crafted writable mount can overflow cylinder summary buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg KH

Date: Wed Jun 17 2026 - 11:11:11 EST

On Wed, Jun 17, 2026 at 11:42:40PM +0900, 이상호 wrote:
> Hello,
>
> I am reporting a UFS/FFS mount-time memory corruption issue in
> ufs_read_cylinder_structures().
>
> A crafted UFS/FFS filesystem image can set inconsistent cylinder-summary
> geometry so that the kernel allocates kmalloc(s_cssize) but copies more than
> that allocation while reading cylinder summary blocks during a writable UFS
> mount.

No need to cc: the security list for this, it's just a "normal" bug to
fix. Please submit a patch to resolve it if you wish to see it fixed in
the kernel or even better, in the userspace fsck tool.

thanks,

greg k-h