Bug 749143 (CVE-2011-4086)

Summary: CVE-2011-4086 kernel: jbd2: unmapped buffer with _Unwritten or _Delay flags set can lead to DoS
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anton, arozansk, dchinner, dhoward, esandeen, fhrbata, kernel-mgr, lczerner, lwang, plougher, pmatouse, rwheeler, security-response-team, sforsber
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-24 04:19:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 748713, 749727, 783284, 783477, 788259, 788260    
Bug Blocks: 749134    
Attachments:
Description Flags
CVE-2011 4086-proposed patch none

Description Eugene Teo (Security Response) 2011-10-26 10:07:49 UTC 
journal_unmap_buffer()'s zap_buffer: code clears a lot of buffer head
state ala discard_buffer(), but does not touch _Delay or _Unwritten
as discard_buffer() does.

This can be problematic in some areas of the ext4 code which assume
that if they have found a buffer marked unwritten or delay, then it's
a live one.  They do not check whether a buffer is mapped, so
jbd2's partial teardown can be problematic if they assume that
this buffer head is still valid.

(Mounting without a journal also avoids the bug, because
with no journal we go to unmap_buffer(), which does the right
thing).

An unprivileged local user could use this flaw to crash the system.
Comment 9 Petr Matousek 2012-02-07 21:53:41 UTC 
Created attachment 560073 [details]
CVE-2011 4086-proposed patch
Comment 11 Petr Matousek 2012-02-07 21:56:35 UTC 
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 788260]
Comment 15 Petr Matousek 2012-02-08 08:11:21 UTC 
Upstream proposed patch:

http://thread.gmane.org/gmane.comp.file-systems.ext4/30623
Comment 17 errata-xmlrpc 2012-02-09 16:41:30 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0107 https://rhn.redhat.com/errata/RHSA-2012-0107.html
Comment 18 Eugene Teo (Security Response) 2012-02-15 06:04:40 UTC 
Statement:

This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2012-0107.html, https://rhn.redhat.com/errata/RHSA-2012-0571.html, and https://rhn.redhat.com/errata/RHSA-2012-0670.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates.
Comment 19 errata-xmlrpc 2012-05-15 22:59:17 UTC 
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0670 https://rhn.redhat.com/errata/RHSA-2012-0670.html
Comment 20 errata-xmlrpc 2012-05-15 23:09:59 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0571 https://rhn.redhat.com/errata/RHSA-2012-0571.html