Bug 749143 (CVE-2011-4086) - CVE-2011-4086 kernel: jbd2: unmapped buffer with _Unwritten or _Delay flags set can lead to DoS
Summary: CVE-2011-4086 kernel: jbd2: unmapped buffer with _Unwritten or _Delay flags s...
Alias: CVE-2011-4086
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 748713 749727 783284 783477 788259 788260
Blocks: 749134
TreeView+ depends on / blocked
Reported: 2011-10-26 10:07 UTC by Eugene Teo (Security Response)
Modified: 2021-02-24 14:22 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-04-24 04:19:05 UTC

Attachments (Terms of Use)
CVE-2011 4086-proposed patch (1.50 KB, text/plain)
2012-02-07 21:53 UTC, Petr Matousek
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0107 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2012-02-09 21:37:09 UTC
Red Hat Product Errata RHSA-2012:0571 0 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2012-05-16 01:05:06 UTC
Red Hat Product Errata RHSA-2012:0670 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2012-05-16 00:14:03 UTC

Description Eugene Teo (Security Response) 2011-10-26 10:07:49 UTC
journal_unmap_buffer()'s zap_buffer: code clears a lot of buffer head
state ala discard_buffer(), but does not touch _Delay or _Unwritten
as discard_buffer() does.

This can be problematic in some areas of the ext4 code which assume
that if they have found a buffer marked unwritten or delay, then it's
a live one.  They do not check whether a buffer is mapped, so
jbd2's partial teardown can be problematic if they assume that
this buffer head is still valid.

(Mounting without a journal also avoids the bug, because
with no journal we go to unmap_buffer(), which does the right

An unprivileged local user could use this flaw to crash the system.

Comment 9 Petr Matousek 2012-02-07 21:53:41 UTC
Created attachment 560073 [details]
CVE-2011 4086-proposed patch

Comment 11 Petr Matousek 2012-02-07 21:56:35 UTC
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 788260]

Comment 15 Petr Matousek 2012-02-08 08:11:21 UTC
Upstream proposed patch:


Comment 17 errata-xmlrpc 2012-02-09 16:41:30 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0107 https://rhn.redhat.com/errata/RHSA-2012-0107.html

Comment 18 Eugene Teo (Security Response) 2012-02-15 06:04:40 UTC

This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2012-0107.html, https://rhn.redhat.com/errata/RHSA-2012-0571.html, and https://rhn.redhat.com/errata/RHSA-2012-0670.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates.

Comment 19 errata-xmlrpc 2012-05-15 22:59:17 UTC
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0670 https://rhn.redhat.com/errata/RHSA-2012-0670.html

Comment 20 errata-xmlrpc 2012-05-15 23:09:59 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0571 https://rhn.redhat.com/errata/RHSA-2012-0571.html

Note You need to log in before you can comment on or make changes to this bug.