CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178)
This commit is contained in:
Josh Boyer
parent
2f5fc4c515
commit
20c2f18ff6
|
|
@ -43,7 +43,7 @@ Signed-off-by: Josh Stone <jistone@redhat.com>
|
|||
2 files changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 6276fcaabf21..fda7c73b428f 100644
|
||||
index 0efae2279fbe..9eb829052936 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -704,7 +704,11 @@ KBUILD_CFLAGS += -fomit-frame-pointer
|
||||
|
|
|
|||
|
|
@ -0,0 +1,78 @@
|
|||
From: Lukas Czerner <lczerner@redhat.com>
|
||||
Date: Wed, 18 Feb 2015 17:49:28 +0100
|
||||
Subject: [PATCH] ext4: Allocate entire range in zero range
|
||||
|
||||
Currently there is a bug in zero range code which causes zero range
|
||||
calls to only allocate block aligned portion of the range, while
|
||||
ignoring the rest in some cases.
|
||||
|
||||
In some cases, namely if the end of the range is past isize, we do
|
||||
attempt to preallocate the last nonaligned block. However this might
|
||||
cause kernel to BUG() in some carefully designed zero range requests on
|
||||
setups where page size > block size.
|
||||
|
||||
Fix this problem by first preallocating the entire range, including the
|
||||
nonaligned edges and converting the written extents to unwritten in the
|
||||
next step. This approach will also give us the advantage of having the
|
||||
range to be as linearly contiguous as possible.
|
||||
|
||||
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
|
||||
---
|
||||
fs/ext4/extents.c | 31 +++++++++++++++++++------------
|
||||
1 file changed, 19 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
|
||||
index 0b16fb4c06d3..e3bf236a36ac 100644
|
||||
--- a/fs/ext4/extents.c
|
||||
+++ b/fs/ext4/extents.c
|
||||
@@ -4792,12 +4792,6 @@ static long ext4_zero_range(struct file *file, loff_t offset,
|
||||
else
|
||||
max_blocks -= lblk;
|
||||
|
||||
- flags = EXT4_GET_BLOCKS_CREATE_UNWRIT_EXT |
|
||||
- EXT4_GET_BLOCKS_CONVERT_UNWRITTEN |
|
||||
- EXT4_EX_NOCACHE;
|
||||
- if (mode & FALLOC_FL_KEEP_SIZE)
|
||||
- flags |= EXT4_GET_BLOCKS_KEEP_SIZE;
|
||||
-
|
||||
mutex_lock(&inode->i_mutex);
|
||||
|
||||
/*
|
||||
@@ -4814,15 +4808,28 @@ static long ext4_zero_range(struct file *file, loff_t offset,
|
||||
ret = inode_newsize_ok(inode, new_size);
|
||||
if (ret)
|
||||
goto out_mutex;
|
||||
- /*
|
||||
- * If we have a partial block after EOF we have to allocate
|
||||
- * the entire block.
|
||||
- */
|
||||
- if (partial_end)
|
||||
- max_blocks += 1;
|
||||
}
|
||||
|
||||
+ flags = EXT4_GET_BLOCKS_CREATE_UNWRIT_EXT;
|
||||
+ if (mode & FALLOC_FL_KEEP_SIZE)
|
||||
+ flags |= EXT4_GET_BLOCKS_KEEP_SIZE;
|
||||
+
|
||||
+ /* Preallocate the range including the unaligned edges */
|
||||
+ if (partial_begin || partial_end) {
|
||||
+ ret = ext4_alloc_file_blocks(file,
|
||||
+ round_down(offset, 1 << blkbits) >> blkbits,
|
||||
+ (round_up((offset + len), 1 << blkbits) -
|
||||
+ round_down(offset, 1 << blkbits)) >> blkbits,
|
||||
+ new_size, flags, mode);
|
||||
+ if (ret)
|
||||
+ goto out_mutex;
|
||||
+
|
||||
+ }
|
||||
+
|
||||
+ /* Zero range excluding the unaligned edges */
|
||||
if (max_blocks > 0) {
|
||||
+ flags |= (EXT4_GET_BLOCKS_CONVERT_UNWRITTEN |
|
||||
+ EXT4_EX_NOCACHE);
|
||||
|
||||
/* Now release the pages and zero block aligned part of pages*/
|
||||
truncate_pagecache_range(inode, start, end - 1);
|
||||
--
|
||||
2.1.0
|
||||
|
||||
|
|
@ -647,6 +647,9 @@ Patch26135: ASLR-fix-stack-randomization-on-64-bit-systems.patch
|
|||
#CVE-XXXX-XXXX rhbz 1189864 1192079
|
||||
Patch26136: vhost-scsi-potential-memory-corruption.patch
|
||||
|
||||
#CVE-2015-0275 rhbz 1193907 1195178
|
||||
Patch26138: ext4-Allocate-entire-range-in-zero-range.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1399,6 +1402,9 @@ ApplyPatch ASLR-fix-stack-randomization-on-64-bit-systems.patch
|
|||
#CVE-XXXX-XXXX rhbz 1189864 1192079
|
||||
ApplyPatch vhost-scsi-potential-memory-corruption.patch
|
||||
|
||||
#CVE-2015-0275 rhbz 1193907 1195178
|
||||
ApplyPatch ext4-Allocate-entire-range-in-zero-range.patch
|
||||
|
||||
%if 0%{?aarch64patches}
|
||||
ApplyPatch kernel-arm64.patch
|
||||
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
|
||||
|
|
@ -2269,6 +2275,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Mon Feb 23 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178)
|
||||
|
||||
* Fri Feb 20 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Move mtpspi and related mods to kernel-core for VMWare guests (rhbz 1194612)
|
||||
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ Upstream-status: Fedora mustard (might be worth dropping...)
|
|||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
|
||||
index cfba74cd8e8b..5127df3cc064 100644
|
||||
index dd8c8d690763..100e6a54264d 100644
|
||||
--- a/drivers/scsi/sd.c
|
||||
+++ b/drivers/scsi/sd.c
|
||||
@@ -2768,13 +2768,18 @@ static int sd_try_extended_inquiry(struct scsi_device *sdp)
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@ index 8a6f371ed6e7..9893d696fc97 100644
|
|||
}
|
||||
}
|
||||
diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h
|
||||
index 1f430bb02ca1..9ec4561f6c2c 100644
|
||||
index 2706a434fdbb..da3d98c72db1 100644
|
||||
--- a/drivers/usb/storage/unusual_uas.h
|
||||
+++ b/drivers/usb/storage/unusual_uas.h
|
||||
@@ -110,14 +110,6 @@ UNUSUAL_DEV(0x152d, 0x0567, 0x0000, 0x9999,
|
||||
|
|
|
|||
Loading…
Reference in New Issue