From 7c061194a0a5348b25b5192f7796dd018b4828bb Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 8 Feb 2012 08:37:23 -0500 Subject: [PATCH] CVE-2011-4086 jbd2: unmapped buffer with _Unwritten or _Delay flags set can lead to DoS (rhbz 788260) --- ...nd-BH_Unwritten-in-journal_unmap_buf.patch | 91 +++++++++++++++++++ kernel.spec | 12 ++- 2 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch diff --git a/jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch b/jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch new file mode 100644 index 000000000..5ea8ccc10 --- /dev/null +++ b/jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch @@ -0,0 +1,91 @@ +Path: news.gmane.org!not-for-mail +From: Eric Sandeen +Newsgroups: gmane.comp.file-systems.ext4 +Subject: [PATCH] jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer +Date: Tue, 07 Feb 2012 16:07:20 -0600 +Lines: 42 +Approved: news@gmane.org +Message-ID: <4F31A098.4050601@redhat.com> +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: text/plain; charset=ISO-8859-1 +Content-Transfer-Encoding: 7bit +X-Trace: dough.gmane.org 1328656072 12026 80.91.229.3 (7 Feb 2012 23:07:52 GMT) +X-Complaints-To: usenet@dough.gmane.org +NNTP-Posting-Date: Tue, 7 Feb 2012 23:07:52 +0000 (UTC) +To: ext4 development +Original-X-From: linux-ext4-owner@vger.kernel.org Wed Feb 08 00:07:52 2012 +Return-path: +Envelope-to: gcfe-linux-ext4@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1Ruu8d-0000lK-5P + for gcfe-linux-ext4@plane.gmane.org; Wed, 08 Feb 2012 00:07:51 +0100 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1756187Ab2BGXHt (ORCPT ); + Tue, 7 Feb 2012 18:07:49 -0500 +Original-Received: from mx1.redhat.com ([209.132.183.28]:19432 "EHLO mx1.redhat.com" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1753992Ab2BGXHs (ORCPT ); + Tue, 7 Feb 2012 18:07:48 -0500 +Original-Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) + by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q17N7dj0027622 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) + for ; Tue, 7 Feb 2012 18:07:48 -0500 +Original-Received: from liberator.sandeen.net (ovpn01.gateway.prod.ext.phx2.redhat.com [10.5.9.1]) + by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q17M7Kgt001990 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) + for ; Tue, 7 Feb 2012 17:07:21 -0500 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0) Gecko/20120129 Thunderbird/10.0 +X-Enigmail-Version: 1.3.5 +X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11 +Original-Sender: linux-ext4-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-ext4@vger.kernel.org +Xref: news.gmane.org gmane.comp.file-systems.ext4:30623 +Archived-At: + +journal_unmap_buffer()'s zap_buffer: code clears a lot of buffer head +state ala discard_buffer(), but does not touch _Delay or _Unwritten +as discard_buffer() does. + +This can be problematic in some areas of the ext4 code which assume +that if they have found a buffer marked unwritten or delay, then it's +a live one. Perhaps those spots should check whether it is mapped +as well, but if jbd2 is going to tear down a buffer, let's really +tear it down completely. + +Without this I get some fsx failures on sub-page-block filesystems +up until v3.2, at which point 4e96b2dbbf1d7e81f22047a50f862555a6cb87cb +and 189e868fa8fdca702eb9db9d8afc46b5cb9144c9 make the failures go +away, because buried within that large change is some more flag +clearing. I still think it's worth doing in jbd2, since +->invalidatepage leads here directly, and it's the right place +to clear away these flags. + +Signed-off-by: Eric Sandeen +Cc: stable@vger.kernel.org +--- + +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c +index 35ae096..52653306 100644 +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -1949,6 +1949,8 @@ zap_buffer_unlocked: + clear_buffer_mapped(bh); + clear_buffer_req(bh); + clear_buffer_new(bh); ++ clear_buffer_delay(bh); ++ clear_buffer_unwritten(bh); + bh->b_bdev = NULL; + return may_free; + } + + +-- +To unsubscribe from this list: send the line "unsubscribe linux-ext4" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + diff --git a/kernel.spec b/kernel.spec index c80d13233..3f7be4c4a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 2 +%global baserelease 3 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -796,6 +796,9 @@ Patch21226: pci-crs-blacklist.patch #rhbz 772772 Patch21232: rt2x00_fix_MCU_request_failures.patch +#rhbz 788260 +Patch21233: jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch + # compat-wireless patches Patch50000: compat-wireless-config-fixups.patch Patch50001: compat-wireless-pr_fmt-warning-avoidance.patch @@ -1497,6 +1500,9 @@ ApplyPatch proc-fix-null-pointer-deref-in-proc_pid_permission.patch #rhbz 772772 ApplyPatch rt2x00_fix_MCU_request_failures.patch +#rhbz 788269 +ApplyPatch jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch + # END OF PATCH APPLICATIONS %endif @@ -2296,6 +2302,10 @@ fi # and build. %changelog +* Wed Feb 08 2012 Josh Boyer +- CVE-2011-4086 jbd2: unmapped buffer with _Unwritten or _Delay flags set can + lead to DoS (rhbz 788260) + * Tue Feb 07 2012 Josh Boyer - Make build/ point to /usr/src/kernels instead of being relative (rhbz 788125)