Bug 869904 (CVE-2012-4508)

Summary: CVE-2012-4508 kernel: ext4: AIO vs fallocate stale data exposure
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agordeev, anton, bhu, davej, dhoward, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, jneedle, jonathan, jrusnack, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, mcressma, mjc, plougher, rt-maint, sforsber, tingsong.zheng, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20121023,reported=20121008,source=upstream,cvss2=4.9/AV:L/AC:L/Au:N/C:C/I:N/A:N,rhel-5/kernel=affected,rhel-6/kernel=affected,mrg-2/realtime-kernel=affected,rhel-6.2.z/kernel=affected,fedora-all/kernel=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-24 10:07:02 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 869905, 869906, 869907, 869908, 869909, 869910, 869911, 1022626    
Bug Blocks: 870156    

Description Petr Matousek 2012-10-25 02:21:58 EDT
A race condition flaw has been found in the way asynchronous I/O and fallocate interacted which can lead to exposure of stale data -- that is, an extent which should have had the "uninitialized" bit set indicating that its blocks have not yet been written and thus contain data from a deleted file. An unprivileged local user could use this flaw to cause an information leak.

Acknowledgements:

Red Hat would like to thank Theodore Ts'o for reporting this issue. Upstream acknowledges Dmitry Monakhov as the original reporter.

References:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=dee1f973ca341c266229faa5a1a5bb268bed3531
Comment 1 Petr Matousek 2012-10-25 02:24:22 EDT
Created attachment 633181 [details]
Upstream patches

Theodore Ts'o writes:

"There are two ways of patching this bug.  One is to apply the entire
set of AIO/DIO race fixes, which will fix a number of other bugs (some
of which can cause the system to deadlock if the right stress tester
is run).  All but the last two patches in the enclosed tar file are in
the ext4.git tree and will shortly be pushed to Linus.  The last two
will fix stale data exposure bug.

A simpler fix is to simply apply the last patch in this patch series.
This should work on all older kernels; the downside of applying just
the last patch is that there is a slight risk of data loss if the file
system is full at the point where we have the AIO/fallocate race,
*AND* the leaf node in extent tree is full, requiring a block
allocation in order to split an extent so we can mark part of the
extent as being uninitialized.  This is a very hard-to-hit corner
case, so it should be OK to just apply the last patch in this series.

Applying the entire patch series will allow us to significantly reduce
the chances of this corner case happening.  The enclosed tar file has
these patches ported to the 3.6 kernel; it should not be hard to make
them apply for older kernels as necessary."

The last patch is also referenced in comment#0.
Comment 5 Petr Matousek 2012-10-25 02:29:36 EDT
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 869909]
Comment 7 errata-xmlrpc 2012-12-04 14:59:30 EST
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:1491 https://rhn.redhat.com/errata/RHSA-2012-1491.html
Comment 8 errata-xmlrpc 2012-12-04 15:53:28 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1540 https://rhn.redhat.com/errata/RHSA-2012-1540.html
Comment 9 errata-xmlrpc 2013-02-21 01:53:20 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0496 https://rhn.redhat.com/errata/RHSA-2013-0496.html
Comment 11 errata-xmlrpc 2013-11-13 13:54:05 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.2 EUS - Server and Compute Node Only

Via RHSA-2013:1519 https://rhn.redhat.com/errata/RHSA-2013-1519.html
Comment 12 errata-xmlrpc 2013-12-05 12:09:01 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only

Via RHSA-2013:1783 https://rhn.redhat.com/errata/RHSA-2013-1783.html