Bug 1286261 (CVE-2015-8374) - CVE-2015-8374 kernel: Information leak when truncating of compressed/inlined extents on BTRFS
Summary: CVE-2015-8374 kernel: Information leak when truncating of compressed/inlined ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-8374
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1286262 1298680 1298988 1298989 1298990 1298991
Blocks: 1286263
TreeView+ depends on / blocked
 
Reported: 2015-11-27 16:44 UTC by Adam Mariš
Modified: 2021-02-17 04:41 UTC (History)
29 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An information-leak vulnerability was found in the kernel when it truncated a file to a smaller size which consisted of an inline extent that was compressed. The data between the new file size and the old file size was not discarded and the number of bytes used by the inode were not correctly decremented, which gave the wrong report for callers of the stat(2) syscall. This wasted metadata space and allowed for the truncated data to be leaked, and data corruption or loss to occur. A caller of the clone ioctl could exploit this flaw by using only standard file-system operations without root access to read the truncated data.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:45:54 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2574 0 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2016-11-03 12:06:10 UTC
Red Hat Product Errata RHSA-2016:2584 0 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2016-11-03 12:08:49 UTC

Description Adam Mariš 2015-11-27 16:44:27 UTC 
An information leak vulnerability was found when truncating a file to a smaller size which consists of an inline extent that is compressed. The data between the new file size and the old file size were not discarded, wasting metadata space and allowing for the truncated data to be leaked and the data corruption/loss to occur. The number of bytes used by the inode were not correctly decremented, which gives wrong report for callers of the stat(2) syscall. It is possible for a caller of the clone ioctl to actually read the data that was truncated, allowing for a security breach without requiring root access to the system, using only standard filesystem operations.

Upstream patch (includes reproducing steps):

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0305cd5f7fca85dae392b9ba85b116896eb7c1c7

CVE request:

http://seclists.org/oss-sec/2015/q4/391
Comment 1 Adam Mariš 2015-11-27 16:45:02 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1286262]
Comment 2 Fedora Update System 2015-12-16 08:24:51 UTC 
kernel-4.2.7-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2015-12-16 09:51:48 UTC 
kernel-4.2.7-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2015-12-16 14:35:55 UTC 
kernel-4.2.7-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Vladis Dronov 2016-01-15 15:29:33 UTC 
References:
Upstream fixes:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8039d87d9e473aeb740d4fdbd59b9d2f89b2ced9

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0305cd5f7fca85dae392b9ba85b116896eb7c1c7

The related 'xfstests' tests:

https://git.kernel.org/cgit/fs/xfs/xfstests-dev.git/commit/?id=ddb4e4cfccfa5fc36975c12e9a66a24d3b7829bd

https://git.kernel.org/cgit/fs/xfs/xfstests-dev.git/commit/?id=0e6ead559169260d0a2621ec22edcd0e63b84a88

https://git.kernel.org/cgit/fs/xfs/xfstests-dev.git/commit/?id=7ff4bb25cea7a294113f52369951db6ae52f5f9d
Comment 11 Vladis Dronov 2016-01-19 15:03:55 UTC 
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 as the code with the flaw is not present in the products listed.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6 and is not currently planned to be addressed in future updates.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and MRG-2. Future Linux kernel updates for the respective releases might address this issue.
Comment 12 errata-xmlrpc 2016-11-03 14:25:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html
Comment 13 errata-xmlrpc 2016-11-03 19:37:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html
Comment 14 errata-xmlrpc 2016-11-03 21:30:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html
Comment 15 errata-xmlrpc 2016-11-03 21:45:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html
Note You need to log in before you can comment on or make changes to this bug.