HIGH
erofs FileIO UAF
CVE-2026-23224
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: erofs: fix UAF issue for file-backed mounts w/ directio option [ 9.269940][ T3222] Call trace: [ 9.269948][ T3222] ext4_file_read_iter+0xac/0x108 [ 9.269979][ T3222] vfs_iocb_iter_read+0xac/0x198 [ 9.269993][ T3222] erofs_fileio_rq_submit+0x12c/0x180 [ 9.270008][ T3222] erofs_fileio_submit_bio+0x14/0x24 [ 9.270030][ T3222] z_erofs_runqueue+0x834/0x8ac [ 9.270054][ T3222] z_erofs_read_folio+0x120/0x220 [ 9.270083][ T3222] filemap_read_folio+0x60/0x120 [ 9.270102][ T3222] filemap_fault+0xcac/0x1060 [ 9.270119][ T3222] do_pte_missing+0x2d8/0x1554 [ 9.270131][ T3222] handle_mm_fault+0x5ec/0x70c [ 9.270142][ T3222] do_page_fault+0x178/0x88c [ 9.270167][ T3222] do_translation_fault+0x38/0x54 [ 9.270183][ T3222] do_mem_abort+0x54/0xac [ 9.270208][ T3222] el0_da+0x44/0x7c [ 9.270227][ T3222] el0t_64_sync_handler+0x5c/0xf4 [ 9.270253][ T3222] el0t_64_sync+0x1bc/0x1c0 EROFS may encounter above panic when enabling file-backed mount w/ directio mount option, the root cause is it may suffer UAF in below race condition: - z_erofs_read_folio wq s_dio_done_wq - z_erofs_runqueue - erofs_fileio_submit_bio - erofs_fileio_rq_submit - vfs_iocb_iter_read - ext4_file_read_iter - ext4_dio_read_iter - iomap_dio_rw : bio was submitted and return -EIOCBQUEUED - dio_aio_complete_work - dio_complete - dio->iocb->ki_complete (erofs_fileio_ki_complete()) - kfree(rq) : it frees iocb, iocb.ki_filp can be UAF in file_accessed(). - file_accessed : access NULL file point Introduce a reference count in struct erofs_fileio_rq, and initialize it as two, both erofs_fileio_ki_complete() and erofs_fileio_rq_submit() will decrease reference count, the last one decreasing the reference count to zero will free rq.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the EROFS filesystem can cause kernel crashes when using file-backed mounts with direct I/O. The issue occurs due to a race condition where memory is freed while still being accessed, potentially leading to system instability or denial of service. This primarily affects container environments and other use cases that rely on EROFS file-backed mounts.
Vulnerability analysis
Root Cause: A race condition exists in EROFS file-backed mounts with directio option where the erofs_fileio_rq structure can be freed by the completion callback (erofs_fileio_ki_complete) while still being accessed by the submission path (erofs_fileio_rq_submit). When vfs_iocb_iter_read returns -EIOCBQUEUED, the bio is submitted asynchronously and the completion callback can execute immediately, freeing the request structure before the submission function completes and tries to access file metadata via file_accessed().
Attack Surface: This vulnerability affects systems using EROFS file-backed mounts with the directio mount option. It requires local access to trigger file operations that would cause page faults and subsequent EROFS read operations. The race condition occurs during normal filesystem operations when reading compressed data from file-backed EROFS mounts.
Fix Mechanism: The patch introduces reference counting to the erofs_fileio_rq structure using a refcount_t field initialized to 2. Both the completion callback (erofs_fileio_ki_complete) and the submission function (erofs_fileio_rq_submit) decrement the reference count, and only the last one to reach zero actually frees the structure. This ensures the structure remains valid until both code paths have finished using it.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.72 | ae385826840a |
| 6.18 | 6.18.11 | d741534302f7 |
| 6.19 | 6.19.1 | b2ee5e4d5446 |
| mainline | 7.0 | 1caf50ce4af0 |