Bug 1151353 (CVE-2014-8086)
| Summary: | CVE-2014-8086 Kernel: fs: ext4 race condition | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Prasad Pandit <ppandit> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | agordeev, aquini, bhu, carnil, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mguzik, nmurray, pholasek, plougher, rt-maint, rvrbovsk, williams |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
A race condition flaw was found in the Linux kernel's ext4 file system implementation that allowed a local, unprivileged user to crash the system by simultaneously writing to a file and toggling the O_DIRECT flag using fcntl(F_SETFL) on that file.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-02-10 07:37:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1152603, 1152604, 1152605, 1152607, 1152608, 1152609 | ||
| Bug Blocks: | 1151336 | ||
|
Description
Prasad Pandit
2014-10-10 08:37:20 UTC
Statement: This issue does not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. This issue affects the version of the kernel package as shipped with Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2. Future kernel updates for Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2 may address this issue. Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1152608] kernel-3.17.1-302.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. kernel-3.16.6-202.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. I'm guessing that the problem was introduced with 7ed07ba8c3e6160e0af3adc0f59561de154c4c2e (just by perusal, I haven't run any reproducers) If this is true though, we don't need the fix before that point Okay, my guess must be wrong because when Jiri Kastner ran the reproducer om the mrg-kernel, he got a traceback
------------[ cut here ]------------
kernel BUG at fs/ext4/inode.c:3129!
invalid opcode: 0000 [#1] PREEMPT SMP
Modules linked in: autofs4 ipv6 iTCO_wdt iTCO_vendor_support coretemp hwmon crc32c_intel ghash_clmulni_intel microcode serio_raw pcspkr ipmi_devintf ipmi_si ipmi_msghandler i2c_i801 lpc_ich cdc_ether usbnet mii sg shpchp cxgb4 ioatdma dca i7core_edac edac_core bnx2 ext4 jbd2 mbcache sd_mod crc_t10dif aesni_intel ablk_helper cryptd lrw aes_x86_64 xts gf128mul pata_acpi ata_generic ata_piix megaraid_sas mgag200 ttm drm_kms_helper drm i2c_algo_bit sysimgblt sysfillrect i2c_core syscopyarea dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mperf]
CPU: 2 PID: 9863 Comm: aio-dio-fcntl-r Not tainted 3.10.58-rt62.54.el6rt.x86_64 #1
Hardware name: IBM System x3550 M3 -[7944J2G]-/90Y4786, BIOS -[D6E158AUS-1.16]- 11/26/2012
task: ffff88045a75b020 ti: ffff88045a008000 task.ti: ffff88045a008000
RIP: 0010:[<ffffffffa018a2c5>] [<ffffffffa018a2c5>] ext4_direct_IO+0x3b5/0x420 [ext4]
RSP: 0018:ffff88045a009bf8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff880442188af0 RCX: ffff88045770b9f8
RDX: 0000000000000001 RSI: ffff88045770b980 RDI: ffff880442188af0
RBP: ffff88045a009c78 R08: 0000000000000001 R09: 0000000000000000
R10: ffff88047fbf6ee0 R11: 0000000000000000 R12: ffff88045770b980
R13: 0000000000000200 R14: ffff880442188af0 R15: 0000000000000001
FS: 00007fdeda739700(0000) GS:ffff88046f240000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000003e13f51500 CR3: 000000045a27d000 CR4: 00000000000007e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Stack:
ffff88045a009c08 ffffffff8112d3f3 ffff88045a009c48 0000000000000001
7ffffffffffffffe ffff880442188c68 0000000000000200 0000000000000001
ffff88045770b9e8 0000000000000200 ffff88045a009c78 0000000000000200
Call Trace:
[<ffffffff8112d3f3>] ? do_writepages+0x23/0x40
[<ffffffff81121208>] generic_file_direct_write+0xc8/0x190
[<ffffffff81122e40>] __generic_file_aio_write+0x2d0/0x3b0
[<ffffffff81122f85>] generic_file_aio_write+0x65/0xd0
[<ffffffffa017e230>] ext4_file_write+0x60/0x420 [ext4]
[<ffffffff81187d06>] ? __sb_start_write+0x76/0x120
[<ffffffff812280e3>] ? security_file_permission+0x23/0x90
[<ffffffffa017e1d0>] ? ext4_release_file+0xe0/0xe0 [ext4]
[<ffffffff811d2f82>] do_io_submit+0x462/0x760
[<ffffffff810d2a36>] ? __audit_syscall_exit+0x236/0x2e0
[<ffffffff811d3290>] SyS_io_submit+0x10/0x20
[<ffffffff815844d9>] system_call_fastpath+0x16/0x1b
Code: 44 e0 ff ff 01 48 8b 90 38 e0 ff ff 80 e2 08 75 10 48 8b 80 38 e0 ff ff f6 c4 02 0f 84 34 fd ff ff e8 e0 fa 3e e1 e9 2a fd ff ff <0f> 0b eb fe 41 bc f4 ff ff ff 49 c7 c5 f4 ff ff ff e9 86 fe ff
RIP [<ffffffffa018a2c5>] ext4_direct_IO+0x3b5/0x420 [ext4]
RSP <ffff88045a009bf8>
---[ end trace 0000000000000002 ]---
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:0290 https://rhn.redhat.com/errata/RHSA-2015-0290.html This issue has been addressed in the following products: MRG for RHEL-6 v.2 Via RHSA-2015:0694 https://rhn.redhat.com/errata/RHSA-2015-0694.html |