A flaw was found in the kernels implementation of ext4 for filesystems mounted with data=ordered mode. Stale data from recently allocated blocks may appear in newly created blocks in files when a system is 'power reset'. This may allow an attacker to gain information about file contents being written to disk when the system was being reset. This issue only affects regular write()'s and not when an application is using direct IO. In testing, the amount of stale-data leakage is at maximum the amount of outstanding delayed journal transactions to the underlying device since the last commit (defaulting to 5 seconds, but tunable/exasperated with commit=nrsec mount option).
Mitigation: Alternative filesystems may be used in place of ext4 in case of sensitive data leak. Alternatively, don't hard reset the system.
Acknowledgments: Name: Takeshi Nishimura (NEC)
Statement: This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 6. This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and MRG-2. Future Linux kernel updates for the respective releases may address this issue. fs
External References: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=06bd3c36a733ac27962fea7d6f47168841376824 http://seclists.org/oss-sec/2017/q2/259