Bug 749143 - (CVE-2011-4086) CVE-2011-4086 kernel: jbd2: unmapped buffer with _Unwritten or _Delay flags set can lead to DoS
CVE-2011-4086 kernel: jbd2: unmapped buffer with _Unwritten or _Delay flags s...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 748713 749727 783284 783477 788259 788260
Blocks: 749134
  Show dependency treegraph
Reported: 2011-10-26 06:07 EDT by Eugene Teo (Security Response)
Modified: 2015-02-16 10:42 EST (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-04-24 00:19:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
CVE-2011 4086-proposed patch (1.50 KB, text/plain)
2012-02-07 16:53 EST, Petr Matousek
no flags Details

  None (edit)
Description Eugene Teo (Security Response) 2011-10-26 06:07:49 EDT
journal_unmap_buffer()'s zap_buffer: code clears a lot of buffer head
state ala discard_buffer(), but does not touch _Delay or _Unwritten
as discard_buffer() does.

This can be problematic in some areas of the ext4 code which assume
that if they have found a buffer marked unwritten or delay, then it's
a live one.  They do not check whether a buffer is mapped, so
jbd2's partial teardown can be problematic if they assume that
this buffer head is still valid.

(Mounting without a journal also avoids the bug, because
with no journal we go to unmap_buffer(), which does the right

An unprivileged local user could use this flaw to crash the system.
Comment 9 Petr Matousek 2012-02-07 16:53:41 EST
Created attachment 560073 [details]
CVE-2011 4086-proposed patch
Comment 11 Petr Matousek 2012-02-07 16:56:35 EST
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 788260]
Comment 15 Petr Matousek 2012-02-08 03:11:21 EST
Upstream proposed patch:

Comment 17 errata-xmlrpc 2012-02-09 11:41:30 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0107 https://rhn.redhat.com/errata/RHSA-2012-0107.html
Comment 18 Eugene Teo (Security Response) 2012-02-15 01:04:40 EST

This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2012-0107.html, https://rhn.redhat.com/errata/RHSA-2012-0571.html, and https://rhn.redhat.com/errata/RHSA-2012-0670.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates.
Comment 19 errata-xmlrpc 2012-05-15 18:59:17 EDT
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0670 https://rhn.redhat.com/errata/RHSA-2012-0670.html
Comment 20 errata-xmlrpc 2012-05-15 19:09:59 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0571 https://rhn.redhat.com/errata/RHSA-2012-0571.html

Note You need to log in before you can comment on or make changes to this bug.