summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJosh Boyer <jwboyer@redhat.com>2012-02-08 08:37:23 -0500
committerJosh Boyer <jwboyer@redhat.com>2012-02-08 08:39:54 -0500
commit32e0cc2b9733351c55355fa7b1e3d18c83aef45e (patch)
tree6bdc24febd8745baaba158fe3cb0feddd8949be2
parent49977fed11dc49566507e935281acb09c2ddc333 (diff)
downloadkernel-32e0cc2b9733351c55355fa7b1e3d18c83aef45e.tar.gz
kernel-32e0cc2b9733351c55355fa7b1e3d18c83aef45e.tar.xz
kernel-32e0cc2b9733351c55355fa7b1e3d18c83aef45e.zip
CVE-2011-4086 jbd2: unmapped buffer with _Unwritten or _Delay flags set can lead to DoS (rhbz 788260)
-rw-r--r--jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch91
-rw-r--r--kernel.spec12
2 files changed, 102 insertions, 1 deletions
diff --git a/jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch b/jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch
new file mode 100644
index 000000000..5ea8ccc10
--- /dev/null
+++ b/jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch
@@ -0,0 +1,91 @@
+Path: news.gmane.org!not-for-mail
+From: Eric Sandeen <sandeen@redhat.com>
+Newsgroups: gmane.comp.file-systems.ext4
+Subject: [PATCH] jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer
+Date: Tue, 07 Feb 2012 16:07:20 -0600
+Lines: 42
+Approved: news@gmane.org
+Message-ID: <4F31A098.4050601@redhat.com>
+NNTP-Posting-Host: plane.gmane.org
+Mime-Version: 1.0
+Content-Type: text/plain; charset=ISO-8859-1
+Content-Transfer-Encoding: 7bit
+X-Trace: dough.gmane.org 1328656072 12026 80.91.229.3 (7 Feb 2012 23:07:52 GMT)
+X-Complaints-To: usenet@dough.gmane.org
+NNTP-Posting-Date: Tue, 7 Feb 2012 23:07:52 +0000 (UTC)
+To: ext4 development <linux-ext4@vger.kernel.org>
+Original-X-From: linux-ext4-owner@vger.kernel.org Wed Feb 08 00:07:52 2012
+Return-path: <linux-ext4-owner@vger.kernel.org>
+Envelope-to: gcfe-linux-ext4@plane.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+ by plane.gmane.org with esmtp (Exim 4.69)
+ (envelope-from <linux-ext4-owner@vger.kernel.org>)
+ id 1Ruu8d-0000lK-5P
+ for gcfe-linux-ext4@plane.gmane.org; Wed, 08 Feb 2012 00:07:51 +0100
+Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+ id S1756187Ab2BGXHt (ORCPT <rfc822;gcfe-linux-ext4@m.gmane.org>);
+ Tue, 7 Feb 2012 18:07:49 -0500
+Original-Received: from mx1.redhat.com ([209.132.183.28]:19432 "EHLO mx1.redhat.com"
+ rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+ id S1753992Ab2BGXHs (ORCPT <rfc822;linux-ext4@vger.kernel.org>);
+ Tue, 7 Feb 2012 18:07:48 -0500
+Original-Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
+ by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q17N7dj0027622
+ (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
+ for <linux-ext4@vger.kernel.org>; Tue, 7 Feb 2012 18:07:48 -0500
+Original-Received: from liberator.sandeen.net (ovpn01.gateway.prod.ext.phx2.redhat.com [10.5.9.1])
+ by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q17M7Kgt001990
+ (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
+ for <linux-ext4@vger.kernel.org>; Tue, 7 Feb 2012 17:07:21 -0500
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0) Gecko/20120129 Thunderbird/10.0
+X-Enigmail-Version: 1.3.5
+X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
+Original-Sender: linux-ext4-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <linux-ext4.vger.kernel.org>
+X-Mailing-List: linux-ext4@vger.kernel.org
+Xref: news.gmane.org gmane.comp.file-systems.ext4:30623
+Archived-At: <http://permalink.gmane.org/gmane.comp.file-systems.ext4/30623>
+
+journal_unmap_buffer()'s zap_buffer: code clears a lot of buffer head
+state ala discard_buffer(), but does not touch _Delay or _Unwritten
+as discard_buffer() does.
+
+This can be problematic in some areas of the ext4 code which assume
+that if they have found a buffer marked unwritten or delay, then it's
+a live one. Perhaps those spots should check whether it is mapped
+as well, but if jbd2 is going to tear down a buffer, let's really
+tear it down completely.
+
+Without this I get some fsx failures on sub-page-block filesystems
+up until v3.2, at which point 4e96b2dbbf1d7e81f22047a50f862555a6cb87cb
+and 189e868fa8fdca702eb9db9d8afc46b5cb9144c9 make the failures go
+away, because buried within that large change is some more flag
+clearing. I still think it's worth doing in jbd2, since
+->invalidatepage leads here directly, and it's the right place
+to clear away these flags.
+
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Cc: stable@vger.kernel.org
+---
+
+diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
+index 35ae096..52653306 100644
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -1949,6 +1949,8 @@ zap_buffer_unlocked:
+ clear_buffer_mapped(bh);
+ clear_buffer_req(bh);
+ clear_buffer_new(bh);
++ clear_buffer_delay(bh);
++ clear_buffer_unwritten(bh);
+ bh->b_bdev = NULL;
+ return may_free;
+ }
+
+
+--
+To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
+the body of a message to majordomo@vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
+
diff --git a/kernel.spec b/kernel.spec
index 92cfc3aa5..172deb8ce 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 1
+%global baserelease 2
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -743,6 +743,9 @@ Patch21094: power-x86-destdir.patch
Patch21095: hfsplus-Change-finder_info-to-u32.patch
Patch21096: hfsplus-Add-an-ioctl-to-bless-files.patch
+#rhbz 788260
+Patch21233: jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch
+
# compat-wireless patches
Patch50000: compat-wireless-config-fixups.patch
Patch50001: compat-wireless-pr_fmt-warning-avoidance.patch
@@ -1434,6 +1437,9 @@ ApplyPatch power-x86-destdir.patch
ApplyPatch hfsplus-Change-finder_info-to-u32.patch
ApplyPatch hfsplus-Add-an-ioctl-to-bless-files.patch
+#rhbz 788269
+ApplyPatch jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2304,6 +2310,10 @@ fi
# ||----w |
# || ||
%changelog
+* Wed Feb 08 2012 Josh Boyer <jwboyer@redhat.com>
+- CVE-2011-4086 jbd2: unmapped buffer with _Unwritten or _Delay flags set can
+ lead to DoS (rhbz 788260)
+
* Tue Feb 07 2012 Josh Boyer <jwboyer@redhat.com>
- Linux 3.3-rc2-git6 (upstream 6bd113f1f4a8c0d05c4dbadb300319e0e3526db4)