Bug 1004233 (CVE-2013-4299)

Summary: CVE-2013-4299 kernel: dm: dm-snapshot data leak
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agk, agordeev, aquini, bhu, dhoward, esammons, fhrbata, iboverma, jkacur, jkurik, jross, kernel-mgr, lgoncalv, lwang, matt, mcressma, mfuruta, mpatocka, nobody, nyewale, pholasek, plougher, rvrbovsk, security-response-team, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20131016,reported=20130808,source=redhat,cvss2=4.3/AV:A/AC:H/Au:S/C:C/I:N/A:N,rhel-5/kernel=affected,rhel-5.9.z/kernel=affected,rhel-6/kernel=affected,mrg-2/realtime-kernel=affected,fedora-all/kernel=affected,rhel-6.3.z/kernel=affected,rhel-6.2.z/kernel=affected,rhel-7/kernel=notaffected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 974481, 975353, 995067, 1004252, 1004721, 1004723, 1004734, 1004798, 1007949, 1007950, 1019678, 1028210    
Bug Blocks: 1004525    
Attachments:
Description Flags
Patch proposed for upstream kernels none

Description Petr Matousek 2013-09-04 05:08:47 EDT
A flaw was found in the way Linux kernel's device-mapper subsystem, under certain conditions, interpreted data written to snapshot block devices. Snapshots are constructed from a single "cow" (copy-on-write) device that contains a mixture of data and metadata, and the bug involves a user writing a data block that is later incorrectly interpreted as metadata controlling how blocks are mapped.

An attacker could construct a mapping to read data from disk blocks in 'free space' that is normally inaccessible.

Please note that apart from having security consequences (data leak), this bug is also a data corruptor.

Acknowledgements:

Red Hat would like to thank Fujitsu for reporting this issue.
Comment 15 Alasdair Kergon 2013-10-16 08:28:34 EDT
Created attachment 812893 [details]
Patch proposed for upstream kernels
Comment 16 errata-xmlrpc 2013-10-16 13:21:52 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1436 https://rhn.redhat.com/errata/RHSA-2013-1436.html
Comment 18 errata-xmlrpc 2013-10-22 13:04:48 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only

Via RHSA-2013:1450 https://rhn.redhat.com/errata/RHSA-2013-1450.html
Comment 19 errata-xmlrpc 2013-10-22 13:33:48 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1449 https://rhn.redhat.com/errata/RHSA-2013-1449.html
Comment 26 errata-xmlrpc 2013-10-31 12:29:13 EDT
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2013:1490 https://rhn.redhat.com/errata/RHSA-2013-1490.html
Comment 28 errata-xmlrpc 2013-11-13 13:54:23 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.2 EUS - Server and Compute Node Only

Via RHSA-2013:1519 https://rhn.redhat.com/errata/RHSA-2013-1519.html
Comment 29 errata-xmlrpc 2013-11-14 12:41:41 EST
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:1520 https://rhn.redhat.com/errata/RHSA-2013-1520.html
Comment 30 errata-xmlrpc 2013-12-05 12:10:41 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only

Via RHSA-2013:1783 https://rhn.redhat.com/errata/RHSA-2013-1783.html
Comment 31 errata-xmlrpc 2013-12-19 16:29:56 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1860 https://rhn.redhat.com/errata/RHSA-2013-1860.html