Bug 1286261 (CVE-2015-8374)

Summary: CVE-2015-8374 kernel: Information leak when truncating of compressed/inlined extents on BTRFS
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aquini, bhu, dhoward, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, kstutsma, lgoncalv, madhu.chinakonda, matt, mchehab, mcressma, mrg-program-list, nmurray, plougher, rvrbovsk, slawomir, slong, vdronov, williams
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
An information-leak vulnerability was found in the kernel when it truncated a file to a smaller size which consisted of an inline extent that was compressed. The data between the new file size and the old file size was not discarded and the number of bytes used by the inode were not correctly decremented, which gave the wrong report for callers of the stat(2) syscall. This wasted metadata space and allowed for the truncated data to be leaked, and data corruption or loss to occur. A caller of the clone ioctl could exploit this flaw by using only standard file-system operations without root access to read the truncated data.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:45:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1286262, 1298680, 1298988, 1298989, 1298990, 1298991    
Bug Blocks: 1286263    

Description Adam Mariš 2015-11-27 16:44:27 UTC 
An information leak vulnerability was found when truncating a file to a smaller size which consists of an inline extent that is compressed. The data between the new file size and the old file size were not discarded, wasting metadata space and allowing for the truncated data to be leaked and the data corruption/loss to occur. The number of bytes used by the inode were not correctly decremented, which gives wrong report for callers of the stat(2) syscall. It is possible for a caller of the clone ioctl to actually read the data that was truncated, allowing for a security breach without requiring root access to the system, using only standard filesystem operations.

Upstream patch (includes reproducing steps):

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0305cd5f7fca85dae392b9ba85b116896eb7c1c7

CVE request:

http://seclists.org/oss-sec/2015/q4/391
Comment 1 Adam Mariš 2015-11-27 16:45:02 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1286262]
Comment 2 Fedora Update System 2015-12-16 08:24:51 UTC 
kernel-4.2.7-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2015-12-16 09:51:48 UTC 
kernel-4.2.7-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2015-12-16 14:35:55 UTC 
kernel-4.2.7-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Vladis Dronov 2016-01-15 15:29:33 UTC 
References:
Upstream fixes:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8039d87d9e473aeb740d4fdbd59b9d2f89b2ced9

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0305cd5f7fca85dae392b9ba85b116896eb7c1c7

The related 'xfstests' tests:

https://git.kernel.org/cgit/fs/xfs/xfstests-dev.git/commit/?id=ddb4e4cfccfa5fc36975c12e9a66a24d3b7829bd

https://git.kernel.org/cgit/fs/xfs/xfstests-dev.git/commit/?id=0e6ead559169260d0a2621ec22edcd0e63b84a88

https://git.kernel.org/cgit/fs/xfs/xfstests-dev.git/commit/?id=7ff4bb25cea7a294113f52369951db6ae52f5f9d
Comment 11 Vladis Dronov 2016-01-19 15:03:55 UTC 
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 as the code with the flaw is not present in the products listed.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6 and is not currently planned to be addressed in future updates.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and MRG-2. Future Linux kernel updates for the respective releases might address this issue.
Comment 12 errata-xmlrpc 2016-11-03 14:25:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html
Comment 13 errata-xmlrpc 2016-11-03 19:37:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html
Comment 14 errata-xmlrpc 2016-11-03 21:30:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html
Comment 15 errata-xmlrpc 2016-11-03 21:45:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html