CVE-2011-4086 jbd2: unmapped buffer with _Unwritten or _Delay flags set can lead to DoS (rhbz 788260)
This commit is contained in:
parent
2165bab1eb
commit
7c061194a0
@ -0,0 +1,91 @@
|
|||||||
|
Path: news.gmane.org!not-for-mail
|
||||||
|
From: Eric Sandeen <sandeen@redhat.com>
|
||||||
|
Newsgroups: gmane.comp.file-systems.ext4
|
||||||
|
Subject: [PATCH] jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer
|
||||||
|
Date: Tue, 07 Feb 2012 16:07:20 -0600
|
||||||
|
Lines: 42
|
||||||
|
Approved: news@gmane.org
|
||||||
|
Message-ID: <4F31A098.4050601@redhat.com>
|
||||||
|
NNTP-Posting-Host: plane.gmane.org
|
||||||
|
Mime-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=ISO-8859-1
|
||||||
|
Content-Transfer-Encoding: 7bit
|
||||||
|
X-Trace: dough.gmane.org 1328656072 12026 80.91.229.3 (7 Feb 2012 23:07:52 GMT)
|
||||||
|
X-Complaints-To: usenet@dough.gmane.org
|
||||||
|
NNTP-Posting-Date: Tue, 7 Feb 2012 23:07:52 +0000 (UTC)
|
||||||
|
To: ext4 development <linux-ext4@vger.kernel.org>
|
||||||
|
Original-X-From: linux-ext4-owner@vger.kernel.org Wed Feb 08 00:07:52 2012
|
||||||
|
Return-path: <linux-ext4-owner@vger.kernel.org>
|
||||||
|
Envelope-to: gcfe-linux-ext4@plane.gmane.org
|
||||||
|
Original-Received: from vger.kernel.org ([209.132.180.67])
|
||||||
|
by plane.gmane.org with esmtp (Exim 4.69)
|
||||||
|
(envelope-from <linux-ext4-owner@vger.kernel.org>)
|
||||||
|
id 1Ruu8d-0000lK-5P
|
||||||
|
for gcfe-linux-ext4@plane.gmane.org; Wed, 08 Feb 2012 00:07:51 +0100
|
||||||
|
Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
||||||
|
id S1756187Ab2BGXHt (ORCPT <rfc822;gcfe-linux-ext4@m.gmane.org>);
|
||||||
|
Tue, 7 Feb 2012 18:07:49 -0500
|
||||||
|
Original-Received: from mx1.redhat.com ([209.132.183.28]:19432 "EHLO mx1.redhat.com"
|
||||||
|
rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
|
||||||
|
id S1753992Ab2BGXHs (ORCPT <rfc822;linux-ext4@vger.kernel.org>);
|
||||||
|
Tue, 7 Feb 2012 18:07:48 -0500
|
||||||
|
Original-Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
|
||||||
|
by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q17N7dj0027622
|
||||||
|
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
|
||||||
|
for <linux-ext4@vger.kernel.org>; Tue, 7 Feb 2012 18:07:48 -0500
|
||||||
|
Original-Received: from liberator.sandeen.net (ovpn01.gateway.prod.ext.phx2.redhat.com [10.5.9.1])
|
||||||
|
by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q17M7Kgt001990
|
||||||
|
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
|
||||||
|
for <linux-ext4@vger.kernel.org>; Tue, 7 Feb 2012 17:07:21 -0500
|
||||||
|
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0) Gecko/20120129 Thunderbird/10.0
|
||||||
|
X-Enigmail-Version: 1.3.5
|
||||||
|
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
|
||||||
|
Original-Sender: linux-ext4-owner@vger.kernel.org
|
||||||
|
Precedence: bulk
|
||||||
|
List-ID: <linux-ext4.vger.kernel.org>
|
||||||
|
X-Mailing-List: linux-ext4@vger.kernel.org
|
||||||
|
Xref: news.gmane.org gmane.comp.file-systems.ext4:30623
|
||||||
|
Archived-At: <http://permalink.gmane.org/gmane.comp.file-systems.ext4/30623>
|
||||||
|
|
||||||
|
journal_unmap_buffer()'s zap_buffer: code clears a lot of buffer head
|
||||||
|
state ala discard_buffer(), but does not touch _Delay or _Unwritten
|
||||||
|
as discard_buffer() does.
|
||||||
|
|
||||||
|
This can be problematic in some areas of the ext4 code which assume
|
||||||
|
that if they have found a buffer marked unwritten or delay, then it's
|
||||||
|
a live one. Perhaps those spots should check whether it is mapped
|
||||||
|
as well, but if jbd2 is going to tear down a buffer, let's really
|
||||||
|
tear it down completely.
|
||||||
|
|
||||||
|
Without this I get some fsx failures on sub-page-block filesystems
|
||||||
|
up until v3.2, at which point 4e96b2dbbf1d7e81f22047a50f862555a6cb87cb
|
||||||
|
and 189e868fa8fdca702eb9db9d8afc46b5cb9144c9 make the failures go
|
||||||
|
away, because buried within that large change is some more flag
|
||||||
|
clearing. I still think it's worth doing in jbd2, since
|
||||||
|
->invalidatepage leads here directly, and it's the right place
|
||||||
|
to clear away these flags.
|
||||||
|
|
||||||
|
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
|
||||||
|
Cc: stable@vger.kernel.org
|
||||||
|
---
|
||||||
|
|
||||||
|
diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
|
||||||
|
index 35ae096..52653306 100644
|
||||||
|
--- a/fs/jbd2/transaction.c
|
||||||
|
+++ b/fs/jbd2/transaction.c
|
||||||
|
@@ -1949,6 +1949,8 @@ zap_buffer_unlocked:
|
||||||
|
clear_buffer_mapped(bh);
|
||||||
|
clear_buffer_req(bh);
|
||||||
|
clear_buffer_new(bh);
|
||||||
|
+ clear_buffer_delay(bh);
|
||||||
|
+ clear_buffer_unwritten(bh);
|
||||||
|
bh->b_bdev = NULL;
|
||||||
|
return may_free;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
|
||||||
|
the body of a message to majordomo@vger.kernel.org
|
||||||
|
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||||
|
|
12
kernel.spec
12
kernel.spec
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||||||
# For non-released -rc kernels, this will be appended after the rcX and
|
# For non-released -rc kernels, this will be appended after the rcX and
|
||||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||||
#
|
#
|
||||||
%global baserelease 2
|
%global baserelease 3
|
||||||
%global fedora_build %{baserelease}
|
%global fedora_build %{baserelease}
|
||||||
|
|
||||||
# base_sublevel is the kernel version we're starting with and patching
|
# base_sublevel is the kernel version we're starting with and patching
|
||||||
@ -796,6 +796,9 @@ Patch21226: pci-crs-blacklist.patch
|
|||||||
#rhbz 772772
|
#rhbz 772772
|
||||||
Patch21232: rt2x00_fix_MCU_request_failures.patch
|
Patch21232: rt2x00_fix_MCU_request_failures.patch
|
||||||
|
|
||||||
|
#rhbz 788260
|
||||||
|
Patch21233: jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch
|
||||||
|
|
||||||
# compat-wireless patches
|
# compat-wireless patches
|
||||||
Patch50000: compat-wireless-config-fixups.patch
|
Patch50000: compat-wireless-config-fixups.patch
|
||||||
Patch50001: compat-wireless-pr_fmt-warning-avoidance.patch
|
Patch50001: compat-wireless-pr_fmt-warning-avoidance.patch
|
||||||
@ -1497,6 +1500,9 @@ ApplyPatch proc-fix-null-pointer-deref-in-proc_pid_permission.patch
|
|||||||
#rhbz 772772
|
#rhbz 772772
|
||||||
ApplyPatch rt2x00_fix_MCU_request_failures.patch
|
ApplyPatch rt2x00_fix_MCU_request_failures.patch
|
||||||
|
|
||||||
|
#rhbz 788269
|
||||||
|
ApplyPatch jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch
|
||||||
|
|
||||||
# END OF PATCH APPLICATIONS
|
# END OF PATCH APPLICATIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -2296,6 +2302,10 @@ fi
|
|||||||
# and build.
|
# and build.
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Feb 08 2012 Josh Boyer <jwboyer@redhat.com>
|
||||||
|
- CVE-2011-4086 jbd2: unmapped buffer with _Unwritten or _Delay flags set can
|
||||||
|
lead to DoS (rhbz 788260)
|
||||||
|
|
||||||
* Tue Feb 07 2012 Josh Boyer <jwboyer@redhat.com>
|
* Tue Feb 07 2012 Josh Boyer <jwboyer@redhat.com>
|
||||||
- Make build/ point to /usr/src/kernels instead of being relative (rhbz 788125)
|
- Make build/ point to /usr/src/kernels instead of being relative (rhbz 788125)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user