Bug 1066939 (CVE-2014-2038)

Summary: CVE-2014-2038 kernel: nfs: data leak during extended writes
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agordeev, aquini, bhu, davej, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, jkurik, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, matt, mcressma, nobody, npajkovs, pholasek, plougher, ppandit, rt-maint, rvrbovsk, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-29 13:55:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1054493, 1061260, 1066942    
Bug Blocks: 1054773    

Description Petr Matousek 2014-02-19 10:59:36 UTC 
It was found that cached page was not up-to-date in certain cases when
we were extending write to cover the full page and thus contained
uninitalized data.

A local user with write access to file on nfs share could use this flaw
to leak kernel memory.

Please note that apart from having security consequences (data leak), this
bug is also a data corruptor.

Introduced by:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c7559663

Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=263b4509
Comment 2 Josh Boyer 2014-02-19 13:19:17 UTC 
The upstream fix is already backported to the 3.12.11 and 3.13.3 stable kernels.  FYI.
Comment 3 Prasad Pandit 2014-02-20 20:28:10 UTC 
Statement:

This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2.
Comment 4 Prasad Pandit 2014-02-20 20:38:23 UTC 
*** Bug 1067341 has been marked as a duplicate of this bug. ***
Comment 5 Vincent Danen 2014-07-29 13:53:42 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0328 https://rhn.redhat.com/errata/RHSA-2014-0328.html