Bug 869904 (CVE-2012-4508) - CVE-2012-4508 kernel: ext4: AIO vs fallocate stale data exposure
Summary: CVE-2012-4508 kernel: ext4: AIO vs fallocate stale data exposure
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-4508
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 869905 869906 869907 869908 869909 869910 869911 1022626
Blocks: 870156
TreeView+ depends on / blocked
 
Reported: 2012-10-25 06:21 UTC by Petr Matousek
Modified: 2019-09-29 12:56 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-24 14:07:02 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1491 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2012-12-05 00:50:25 UTC
Red Hat Product Errata RHSA-2012:1540 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2012-12-05 01:51:24 UTC
Red Hat Product Errata RHSA-2013:0496 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 6 kernel update 2013-02-20 21:40:54 UTC
Red Hat Product Errata RHSA-2013:1519 normal SHIPPED_LIVE Important: kernel security and bug fix update 2013-11-13 23:52:26 UTC
Red Hat Product Errata RHSA-2013:1783 normal SHIPPED_LIVE Important: kernel security and bug fix update 2013-12-05 22:07:09 UTC

Description Petr Matousek 2012-10-25 06:21:58 UTC
A race condition flaw has been found in the way asynchronous I/O and fallocate interacted which can lead to exposure of stale data -- that is, an extent which should have had the "uninitialized" bit set indicating that its blocks have not yet been written and thus contain data from a deleted file. An unprivileged local user could use this flaw to cause an information leak.

Acknowledgements:

Red Hat would like to thank Theodore Ts'o for reporting this issue. Upstream acknowledges Dmitry Monakhov as the original reporter.

References:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=dee1f973ca341c266229faa5a1a5bb268bed3531

Comment 1 Petr Matousek 2012-10-25 06:24:22 UTC
Created attachment 633181 [details]
Upstream patches

Theodore Ts'o writes:

"There are two ways of patching this bug.  One is to apply the entire
set of AIO/DIO race fixes, which will fix a number of other bugs (some
of which can cause the system to deadlock if the right stress tester
is run).  All but the last two patches in the enclosed tar file are in
the ext4.git tree and will shortly be pushed to Linus.  The last two
will fix stale data exposure bug.

A simpler fix is to simply apply the last patch in this patch series.
This should work on all older kernels; the downside of applying just
the last patch is that there is a slight risk of data loss if the file
system is full at the point where we have the AIO/fallocate race,
*AND* the leaf node in extent tree is full, requiring a block
allocation in order to split an extent so we can mark part of the
extent as being uninitialized.  This is a very hard-to-hit corner
case, so it should be OK to just apply the last patch in this series.

Applying the entire patch series will allow us to significantly reduce
the chances of this corner case happening.  The enclosed tar file has
these patches ported to the 3.6 kernel; it should not be hard to make
them apply for older kernels as necessary."

The last patch is also referenced in comment#0.

Comment 5 Petr Matousek 2012-10-25 06:29:36 UTC
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 869909]

Comment 7 errata-xmlrpc 2012-12-04 19:59:30 UTC
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:1491 https://rhn.redhat.com/errata/RHSA-2012-1491.html

Comment 8 errata-xmlrpc 2012-12-04 20:53:28 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1540 https://rhn.redhat.com/errata/RHSA-2012-1540.html

Comment 9 errata-xmlrpc 2013-02-21 06:53:20 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0496 https://rhn.redhat.com/errata/RHSA-2013-0496.html

Comment 11 errata-xmlrpc 2013-11-13 18:54:05 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.2 EUS - Server and Compute Node Only

Via RHSA-2013:1519 https://rhn.redhat.com/errata/RHSA-2013-1519.html

Comment 12 errata-xmlrpc 2013-12-05 17:09:01 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only

Via RHSA-2013:1783 https://rhn.redhat.com/errata/RHSA-2013-1783.html


Note You need to log in before you can comment on or make changes to this bug.