Bug 1151353 (CVE-2014-8086) - CVE-2014-8086 Kernel: fs: ext4 race condition
Summary: CVE-2014-8086 Kernel: fs: ext4 race condition
Alias: CVE-2014-8086
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1152603 1152604 1152605 1152607 1152608 1152609
Blocks: 1151336
TreeView+ depends on / blocked
Reported: 2014-10-10 08:37 UTC by Prasad Pandit
Modified: 2021-02-17 06:07 UTC (History)
30 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A race condition flaw was found in the Linux kernel's ext4 file system implementation that allowed a local, unprivileged user to crash the system by simultaneously writing to a file and toggling the O_DIRECT flag using fcntl(F_SETFL) on that file.
Clone Of:
Last Closed: 2016-02-10 07:37:52 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0290 0 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2015-03-05 16:13:58 UTC
Red Hat Product Errata RHSA-2015:0694 0 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2015-03-17 18:39:44 UTC

Description Prasad Pandit 2014-10-10 08:37:20 UTC
Linux kernel built with an Ext4 file system(CONFIG_EXT4_FS) support is
vulnerable to a race condition flaw. It could occur while performing asynchronous & Direct I/O operations and fcntl(F_SETFL) call concurrently.

An unprivileged user/process could use this flaw to crash the system kernel
resulting in DoS.

Upstream fix:
  -> https://git.kernel.org/linus/a41537e69b4aa43f0fea02498c2595a81267383b

  -> http://www.openwall.com/lists/oss-security/2014/10/09/25

Comment 1 Prasad Pandit 2014-10-14 13:54:29 UTC

This issue does not affect the versions of Linux kernel as shipped with
Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.

This issue affects the version of the kernel package as shipped with
Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2. Future kernel updates
for Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2 may address this

Comment 3 Prasad Pandit 2014-10-14 13:57:20 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1152608]

Comment 7 Fedora Update System 2014-10-21 18:03:49 UTC
kernel-3.17.1-302.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2014-10-28 06:43:00 UTC
kernel-3.16.6-202.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 John Kacur 2014-11-07 14:39:18 UTC
I'm guessing that the problem was introduced with 7ed07ba8c3e6160e0af3adc0f59561de154c4c2e
(just by perusal, I haven't run any reproducers)
If this is true though, we don't need the fix before that point

Comment 12 John Kacur 2014-11-07 17:32:16 UTC
Okay, my guess must be wrong because when Jiri Kastner ran the reproducer om the mrg-kernel, he got a traceback
    ------------[ cut here ]------------
    kernel BUG at fs/ext4/inode.c:3129!
    invalid opcode: 0000 [#1] PREEMPT SMP
    Modules linked in: autofs4 ipv6 iTCO_wdt iTCO_vendor_support coretemp hwmon crc32c_intel ghash_clmulni_intel microcode serio_raw pcspkr ipmi_devintf ipmi_si ipmi_msghandler i2c_i801 lpc_ich cdc_ether usbnet mii sg shpchp cxgb4 ioatdma dca i7core_edac edac_core bnx2 ext4 jbd2 mbcache sd_mod crc_t10dif aesni_intel ablk_helper cryptd lrw aes_x86_64 xts gf128mul pata_acpi ata_generic ata_piix megaraid_sas mgag200 ttm drm_kms_helper drm i2c_algo_bit sysimgblt sysfillrect i2c_core syscopyarea dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mperf]
    CPU: 2 PID: 9863 Comm: aio-dio-fcntl-r Not tainted 3.10.58-rt62.54.el6rt.x86_64 #1
    Hardware name: IBM System x3550 M3 -[7944J2G]-/90Y4786, BIOS -[D6E158AUS-1.16]- 11/26/2012
    task: ffff88045a75b020 ti: ffff88045a008000 task.ti: ffff88045a008000
    RIP: 0010:[<ffffffffa018a2c5>]  [<ffffffffa018a2c5>] ext4_direct_IO+0x3b5/0x420 [ext4]
    RSP: 0018:ffff88045a009bf8  EFLAGS: 00010246
    RAX: 0000000000000000 RBX: ffff880442188af0 RCX: ffff88045770b9f8
    RDX: 0000000000000001 RSI: ffff88045770b980 RDI: ffff880442188af0
    RBP: ffff88045a009c78 R08: 0000000000000001 R09: 0000000000000000
    R10: ffff88047fbf6ee0 R11: 0000000000000000 R12: ffff88045770b980
    R13: 0000000000000200 R14: ffff880442188af0 R15: 0000000000000001
    FS:  00007fdeda739700(0000) GS:ffff88046f240000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 0000003e13f51500 CR3: 000000045a27d000 CR4: 00000000000007e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
     ffff88045a009c08 ffffffff8112d3f3 ffff88045a009c48 0000000000000001
     7ffffffffffffffe ffff880442188c68 0000000000000200 0000000000000001
     ffff88045770b9e8 0000000000000200 ffff88045a009c78 0000000000000200
    Call Trace:
     [<ffffffff8112d3f3>] ? do_writepages+0x23/0x40
     [<ffffffff81121208>] generic_file_direct_write+0xc8/0x190
     [<ffffffff81122e40>] __generic_file_aio_write+0x2d0/0x3b0
     [<ffffffff81122f85>] generic_file_aio_write+0x65/0xd0
     [<ffffffffa017e230>] ext4_file_write+0x60/0x420 [ext4]
     [<ffffffff81187d06>] ? __sb_start_write+0x76/0x120
     [<ffffffff812280e3>] ? security_file_permission+0x23/0x90
     [<ffffffffa017e1d0>] ? ext4_release_file+0xe0/0xe0 [ext4]
     [<ffffffff811d2f82>] do_io_submit+0x462/0x760
     [<ffffffff810d2a36>] ? __audit_syscall_exit+0x236/0x2e0
     [<ffffffff811d3290>] SyS_io_submit+0x10/0x20
     [<ffffffff815844d9>] system_call_fastpath+0x16/0x1b
    Code: 44 e0 ff ff 01 48 8b 90 38 e0 ff ff 80 e2 08 75 10 48 8b 80 38 e0 ff ff f6 c4 02 0f 84 34 fd ff ff e8 e0 fa 3e e1 e9 2a fd ff ff <0f> 0b eb fe 41 bc f4 ff ff ff 49 c7 c5 f4 ff ff ff e9 86 fe ff
    RIP  [<ffffffffa018a2c5>] ext4_direct_IO+0x3b5/0x420 [ext4]
     RSP <ffff88045a009bf8>
    ---[ end trace 0000000000000002 ]---

Comment 14 errata-xmlrpc 2015-03-05 12:51:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0290 https://rhn.redhat.com/errata/RHSA-2015-0290.html

Comment 15 errata-xmlrpc 2015-03-17 14:40:49 UTC
This issue has been addressed in the following products:

  MRG for RHEL-6 v.2

Via RHSA-2015:0694 https://rhn.redhat.com/errata/RHSA-2015-0694.html

Note You need to log in before you can comment on or make changes to this bug.