journal_unmap_buffer()'s zap_buffer: code clears a lot of buffer head state ala discard_buffer(), but does not touch _Delay or _Unwritten as discard_buffer() does. This can be problematic in some areas of the ext4 code which assume that if they have found a buffer marked unwritten or delay, then it's a live one. They do not check whether a buffer is mapped, so jbd2's partial teardown can be problematic if they assume that this buffer head is still valid. (Mounting without a journal also avoids the bug, because with no journal we go to unmap_buffer(), which does the right thing). An unprivileged local user could use this flaw to crash the system.
Created attachment 560073 [details] CVE-2011 4086-proposed patch
Created kernel tracking bugs for this issue Affects: fedora-all [bug 788260]
Upstream proposed patch: http://thread.gmane.org/gmane.comp.file-systems.ext4/30623
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0107 https://rhn.redhat.com/errata/RHSA-2012-0107.html
Statement: This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2012-0107.html, https://rhn.redhat.com/errata/RHSA-2012-0571.html, and https://rhn.redhat.com/errata/RHSA-2012-0670.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates.
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2012:0670 https://rhn.redhat.com/errata/RHSA-2012-0670.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0571 https://rhn.redhat.com/errata/RHSA-2012-0571.html