Bug 1004233 (CVE-2013-4299)

Summary: CVE-2013-4299 kernel: dm: dm-snapshot data leak
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agk, aquini, bhu, dhoward, fhrbata, iboverma, jkacur, jross, kernel-mgr, lgoncalv, mcressma, mfuruta, mpatocka, nobody, nyewale, rvrbovsk, security-response-team, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-20 10:41:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 974481, 975353, 995067, 1004252, 1004721, 1004723, 1004734, 1004798, 1007949, 1007950, 1019678, 1028210    
Bug Blocks: 1004525    
Attachments:
Description Flags
Patch proposed for upstream kernels none

Description Petr Matousek 2013-09-04 09:08:47 UTC 
A flaw was found in the way Linux kernel's device-mapper subsystem, under certain conditions, interpreted data written to snapshot block devices. Snapshots are constructed from a single "cow" (copy-on-write) device that contains a mixture of data and metadata, and the bug involves a user writing a data block that is later incorrectly interpreted as metadata controlling how blocks are mapped.

An attacker could construct a mapping to read data from disk blocks in 'free space' that is normally inaccessible.

Please note that apart from having security consequences (data leak), this bug is also a data corruptor.

Acknowledgements:

Red Hat would like to thank Fujitsu for reporting this issue.
Comment 15 Alasdair Kergon 2013-10-16 12:28:34 UTC 
Created attachment 812893 [details]
Patch proposed for upstream kernels
Comment 16 errata-xmlrpc 2013-10-16 17:21:52 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1436 https://rhn.redhat.com/errata/RHSA-2013-1436.html
Comment 17 Alasdair Kergon 2013-10-18 01:38:52 UTC 
Links to upstream merge:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9c6a182649f4259db704ae15a91ac820e63b0ca

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8359ffa56595b5b56ea690810cace53e13618269
Comment 18 errata-xmlrpc 2013-10-22 17:04:48 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only

Via RHSA-2013:1450 https://rhn.redhat.com/errata/RHSA-2013-1450.html
Comment 19 errata-xmlrpc 2013-10-22 17:33:48 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1449 https://rhn.redhat.com/errata/RHSA-2013-1449.html
Comment 26 errata-xmlrpc 2013-10-31 16:29:13 UTC 
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2013:1490 https://rhn.redhat.com/errata/RHSA-2013-1490.html
Comment 28 errata-xmlrpc 2013-11-13 18:54:23 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.2 EUS - Server and Compute Node Only

Via RHSA-2013:1519 https://rhn.redhat.com/errata/RHSA-2013-1519.html
Comment 29 errata-xmlrpc 2013-11-14 17:41:41 UTC 
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:1520 https://rhn.redhat.com/errata/RHSA-2013-1520.html
Comment 30 errata-xmlrpc 2013-12-05 17:10:41 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only

Via RHSA-2013:1783 https://rhn.redhat.com/errata/RHSA-2013-1783.html
Comment 31 errata-xmlrpc 2013-12-19 21:29:56 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1860 https://rhn.redhat.com/errata/RHSA-2013-1860.html