Bug 869904 - (CVE-2012-4508) CVE-2012-4508 kernel: ext4: AIO vs fallocate stale data exposure
CVE-2012-4508 kernel: ext4: AIO vs fallocate stale data exposure
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20121023,repo...
: Security
Depends On: 869905 869906 869907 869908 869909 869910 869911 1022626
Blocks: 870156
  Show dependency treegraph
 
Reported: 2012-10-25 02:21 EDT by Petr Matousek
Modified: 2015-08-17 07:24 EDT (History)
27 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-24 10:07:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Matousek 2012-10-25 02:21:58 EDT
A race condition flaw has been found in the way asynchronous I/O and fallocate interacted which can lead to exposure of stale data -- that is, an extent which should have had the "uninitialized" bit set indicating that its blocks have not yet been written and thus contain data from a deleted file. An unprivileged local user could use this flaw to cause an information leak.

Acknowledgements:

Red Hat would like to thank Theodore Ts'o for reporting this issue. Upstream acknowledges Dmitry Monakhov as the original reporter.

References:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=dee1f973ca341c266229faa5a1a5bb268bed3531
Comment 1 Petr Matousek 2012-10-25 02:24:22 EDT
Created attachment 633181 [details]
Upstream patches

Theodore Ts'o writes:

"There are two ways of patching this bug.  One is to apply the entire
set of AIO/DIO race fixes, which will fix a number of other bugs (some
of which can cause the system to deadlock if the right stress tester
is run).  All but the last two patches in the enclosed tar file are in
the ext4.git tree and will shortly be pushed to Linus.  The last two
will fix stale data exposure bug.

A simpler fix is to simply apply the last patch in this patch series.
This should work on all older kernels; the downside of applying just
the last patch is that there is a slight risk of data loss if the file
system is full at the point where we have the AIO/fallocate race,
*AND* the leaf node in extent tree is full, requiring a block
allocation in order to split an extent so we can mark part of the
extent as being uninitialized.  This is a very hard-to-hit corner
case, so it should be OK to just apply the last patch in this series.

Applying the entire patch series will allow us to significantly reduce
the chances of this corner case happening.  The enclosed tar file has
these patches ported to the 3.6 kernel; it should not be hard to make
them apply for older kernels as necessary."

The last patch is also referenced in comment#0.
Comment 5 Petr Matousek 2012-10-25 02:29:36 EDT
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 869909]
Comment 7 errata-xmlrpc 2012-12-04 14:59:30 EST
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:1491 https://rhn.redhat.com/errata/RHSA-2012-1491.html
Comment 8 errata-xmlrpc 2012-12-04 15:53:28 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1540 https://rhn.redhat.com/errata/RHSA-2012-1540.html
Comment 9 errata-xmlrpc 2013-02-21 01:53:20 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0496 https://rhn.redhat.com/errata/RHSA-2013-0496.html
Comment 11 errata-xmlrpc 2013-11-13 13:54:05 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.2 EUS - Server and Compute Node Only

Via RHSA-2013:1519 https://rhn.redhat.com/errata/RHSA-2013-1519.html
Comment 12 errata-xmlrpc 2013-12-05 12:09:01 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only

Via RHSA-2013:1783 https://rhn.redhat.com/errata/RHSA-2013-1783.html

Note You need to log in before you can comment on or make changes to this bug.