Bug 1066939 (CVE-2014-2038) - CVE-2014-2038 kernel: nfs: data leak during extended writes
Summary: CVE-2014-2038 kernel: nfs: data leak during extended writes
Status: CLOSED ERRATA
Alias: CVE-2014-2038
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20140117,reported=2...
Keywords: Security
: 1067341 (view as bug list)
Depends On: 1054493 1061260 1066942
Blocks: 1054773
TreeView+ depends on / blocked
 
Reported: 2014-02-19 10:59 UTC by Petr Matousek
Modified: 2019-06-08 19:55 UTC (History)
31 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2014-07-29 13:55:43 UTC


Attachments (Terms of Use)

Description Petr Matousek 2014-02-19 10:59:36 UTC
It was found that cached page was not up-to-date in certain cases when
we were extending write to cover the full page and thus contained
uninitalized data.

A local user with write access to file on nfs share could use this flaw
to leak kernel memory.

Please note that apart from having security consequences (data leak), this
bug is also a data corruptor.

Introduced by:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c7559663

Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=263b4509

Comment 2 Josh Boyer 2014-02-19 13:19:17 UTC
The upstream fix is already backported to the 3.12.11 and 3.13.3 stable kernels.  FYI.

Comment 3 Prasad J Pandit 2014-02-20 20:28:10 UTC
Statement:

This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2.

Comment 4 Prasad J Pandit 2014-02-20 20:38:23 UTC
*** Bug 1067341 has been marked as a duplicate of this bug. ***

Comment 5 Vincent Danen 2014-07-29 13:53:42 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0328 https://rhn.redhat.com/errata/RHSA-2014-0328.html


Note You need to log in before you can comment on or make changes to this bug.