CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178)

ext4-Allocate-entire-range-in-zero-range.patch

@@ -0,0 +1,78 @@
+From: Lukas Czerner <lczerner@redhat.com>
+Date: Wed, 18 Feb 2015 17:49:28 +0100
+Subject: [PATCH] ext4: Allocate entire range in zero range
+
+Currently there is a bug in zero range code which causes zero range
+calls to only allocate block aligned portion of the range, while
+ignoring the rest in some cases.
+
+In some cases, namely if the end of the range is past isize, we do
+attempt to preallocate the last nonaligned block. However this might
+cause kernel to BUG() in some carefully designed zero range requests on
+setups where page size > block size.
+
+Fix this problem by first preallocating the entire range, including the
+nonaligned edges and converting the written extents to unwritten in the
+next step. This approach will also give us the advantage of having the
+range to be as linearly contiguous as possible.
+
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+---
+ fs/ext4/extents.c | 31 +++++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 0b16fb4c06d3..e3bf236a36ac 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -4792,12 +4792,6 @@ static long ext4_zero_range(struct file *file, loff_t offset,
+ 	else
+ 		max_blocks -= lblk;
+ 
+-	flags = EXT4_GET_BLOCKS_CREATE_UNWRIT_EXT |
+-		EXT4_GET_BLOCKS_CONVERT_UNWRITTEN |
+-		EXT4_EX_NOCACHE;
+-	if (mode & FALLOC_FL_KEEP_SIZE)
+-		flags |= EXT4_GET_BLOCKS_KEEP_SIZE;
+-
+ 	mutex_lock(&inode->i_mutex);
+ 
+ 	/*
+@@ -4814,15 +4808,28 @@ static long ext4_zero_range(struct file *file, loff_t offset,
+ 		ret = inode_newsize_ok(inode, new_size);
+ 		if (ret)
+ 			goto out_mutex;
+-		/*
+-		 * If we have a partial block after EOF we have to allocate
+-		 * the entire block.
+-		 */
+-		if (partial_end)
+-			max_blocks += 1;
+ 	}
+ 
++	flags = EXT4_GET_BLOCKS_CREATE_UNWRIT_EXT;
++	if (mode & FALLOC_FL_KEEP_SIZE)
++		flags |= EXT4_GET_BLOCKS_KEEP_SIZE;
++
++	/* Preallocate the range including the unaligned edges */
++	if (partial_begin || partial_end) {
++		ret = ext4_alloc_file_blocks(file,
++				round_down(offset, 1 << blkbits) >> blkbits,
++				(round_up((offset + len), 1 << blkbits) -
++				 round_down(offset, 1 << blkbits)) >> blkbits,
++				new_size, flags, mode);
++		if (ret)
++			goto out_mutex;
++
++	}
++
++	/* Zero range excluding the unaligned edges */
+ 	if (max_blocks > 0) {
++		flags |= (EXT4_GET_BLOCKS_CONVERT_UNWRITTEN |
++			  EXT4_EX_NOCACHE);
+ 
+ 		/* Now release the pages and zero block aligned part of pages*/
+ 		truncate_pagecache_range(inode, start, end - 1);
+-- 
+2.1.0
+

kernel.spec

@@ -764,6 +764,9 @@ Patch26135: ASLR-fix-stack-randomization-on-64-bit-systems.patch
 #CVE-XXXX-XXXX rhbz 1189864 1192079
 Patch26136: vhost-scsi-potential-memory-corruption.patch
 
+#CVE-2015-0275 rhbz 1193907 1195178
+Patch26138: ext4-Allocate-entire-range-in-zero-range.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1491,6 +1494,9 @@ ApplyPatch ASLR-fix-stack-randomization-on-64-bit-systems.patch
 #CVE-XXXX-XXXX rhbz 1189864 1192079
 ApplyPatch vhost-scsi-potential-memory-corruption.patch
 
+#CVE-2015-0275 rhbz 1193907 1195178
+ApplyPatch ext4-Allocate-entire-range-in-zero-range.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2309,6 +2315,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Mon Feb 23 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178)
+
 * Mon Feb 16 2015 Josh Boyer <jwboyer@fedoraproject.org>
 - CVE-XXXX-XXXX potential memory corruption in vhost/scsi driver (rhbz 1189864 1192079)
 - CVE-2015-1593 stack ASLR integer overflow (rhbz 1192519 1192520)