Bug 1286261 (CVE-2015-8374) - CVE-2015-8374 kernel: Information leak when truncating of compressed/inlined extents on BTRFS
Summary: CVE-2015-8374 kernel: Information leak when truncating of compressed/inlined ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-8374
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20151016,repor...
Depends On: 1286262 1298680 1298988 1298989 1298990 1298991
Blocks: 1286263
TreeView+ depends on / blocked
 
Reported: 2015-11-27 16:44 UTC by Adam Mariš
Modified: 2019-06-11 11:13 UTC (History)
29 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An information-leak vulnerability was found in the kernel when it truncated a file to a smaller size which consisted of an inline extent that was compressed. The data between the new file size and the old file size was not discarded and the number of bytes used by the inode were not correctly decremented, which gave the wrong report for callers of the stat(2) syscall. This wasted metadata space and allowed for the truncated data to be leaked, and data corruption or loss to occur. A caller of the clone ioctl could exploit this flaw by using only standard file-system operations without root access to read the truncated data.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:45:54 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2574 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2016-11-03 12:06:10 UTC
Red Hat Product Errata RHSA-2016:2584 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2016-11-03 12:08:49 UTC

Description Adam Mariš 2015-11-27 16:44:27 UTC
An information leak vulnerability was found when truncating a file to a smaller size which consists of an inline extent that is compressed. The data between the new file size and the old file size were not discarded, wasting metadata space and allowing for the truncated data to be leaked and the data corruption/loss to occur. The number of bytes used by the inode were not correctly decremented, which gives wrong report for callers of the stat(2) syscall. It is possible for a caller of the clone ioctl to actually read the data that was truncated, allowing for a security breach without requiring root access to the system, using only standard filesystem operations.

Upstream patch (includes reproducing steps):

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0305cd5f7fca85dae392b9ba85b116896eb7c1c7

CVE request:

http://seclists.org/oss-sec/2015/q4/391

Comment 1 Adam Mariš 2015-11-27 16:45:02 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1286262]

Comment 2 Fedora Update System 2015-12-16 08:24:51 UTC
kernel-4.2.7-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 3 Fedora Update System 2015-12-16 09:51:48 UTC
kernel-4.2.7-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2015-12-16 14:35:55 UTC
kernel-4.2.7-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Vladis Dronov 2016-01-19 15:03:55 UTC
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 as the code with the flaw is not present in the products listed.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6 and is not currently planned to be addressed in future updates.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and MRG-2. Future Linux kernel updates for the respective releases might address this issue.

Comment 12 errata-xmlrpc 2016-11-03 14:25:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html

Comment 13 errata-xmlrpc 2016-11-03 19:37:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html

Comment 14 errata-xmlrpc 2016-11-03 21:30:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html

Comment 15 errata-xmlrpc 2016-11-03 21:45:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html


Note You need to log in before you can comment on or make changes to this bug.