In the Linux kernel, the following vulnerability has been resolved:
erofs: avoid using multiple devices with different type
For multiple devices, both primary and extra devices should be the
same type. erofs_init_device
has already guaranteed that if the
primary is a file-backed device, extra devices should also be
regular files.
However, if the primary is a block device while the extra device
is a file-backed device, erofs_init_device
will get an ENOTBLK,
which is not treated as an error in erofs_fc_get_tree
, and that
leads to an UAF:
erofsfcgettree gettreebdevflags(erofsfcfillsuper) erofsreadsuperblock erofsinitdevice // sbi->dif0 is not inited yet, // return -ENOTBLK deactivatelockedsuper free(sbi) if (err is -ENOTBLK) sbi->dif0.file = filpopen() // sbi UAF
So if -ENOTBLK is hitted in erofs_init_device
, it means the
primary device must be a block device, and the extra device
is not a block device. The error can be converted to -EINVAL.