diff options
| author | Josh Boyer <jwboyer@redhat.com> | 2012-02-08 08:37:23 -0500 |
|---|---|---|
| committer | Josh Boyer <jwboyer@redhat.com> | 2012-02-08 08:39:54 -0500 |
| commit | 32e0cc2b9733351c55355fa7b1e3d18c83aef45e (patch) | |
| tree | 6bdc24febd8745baaba158fe3cb0feddd8949be2 /jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch | |
| parent | 49977fed11dc49566507e935281acb09c2ddc333 (diff) | |
| download | kernel-32e0cc2b9733351c55355fa7b1e3d18c83aef45e.tar.gz kernel-32e0cc2b9733351c55355fa7b1e3d18c83aef45e.tar.xz kernel-32e0cc2b9733351c55355fa7b1e3d18c83aef45e.zip | |
CVE-2011-4086 jbd2: unmapped buffer with _Unwritten or _Delay flags set can lead to DoS (rhbz 788260)
Diffstat (limited to 'jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch')
| -rw-r--r-- | jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch b/jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch new file mode 100644 index 000000000..5ea8ccc10 --- /dev/null +++ b/jbd2-clear-BH_Delay-and-BH_Unwritten-in-journal_unmap_buf.patch @@ -0,0 +1,91 @@ +Path: news.gmane.org!not-for-mail +From: Eric Sandeen <sandeen@redhat.com> +Newsgroups: gmane.comp.file-systems.ext4 +Subject: [PATCH] jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer +Date: Tue, 07 Feb 2012 16:07:20 -0600 +Lines: 42 +Approved: news@gmane.org +Message-ID: <4F31A098.4050601@redhat.com> +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: text/plain; charset=ISO-8859-1 +Content-Transfer-Encoding: 7bit +X-Trace: dough.gmane.org 1328656072 12026 80.91.229.3 (7 Feb 2012 23:07:52 GMT) +X-Complaints-To: usenet@dough.gmane.org +NNTP-Posting-Date: Tue, 7 Feb 2012 23:07:52 +0000 (UTC) +To: ext4 development <linux-ext4@vger.kernel.org> +Original-X-From: linux-ext4-owner@vger.kernel.org Wed Feb 08 00:07:52 2012 +Return-path: <linux-ext4-owner@vger.kernel.org> +Envelope-to: gcfe-linux-ext4@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from <linux-ext4-owner@vger.kernel.org>) + id 1Ruu8d-0000lK-5P + for gcfe-linux-ext4@plane.gmane.org; Wed, 08 Feb 2012 00:07:51 +0100 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1756187Ab2BGXHt (ORCPT <rfc822;gcfe-linux-ext4@m.gmane.org>); + Tue, 7 Feb 2012 18:07:49 -0500 +Original-Received: from mx1.redhat.com ([209.132.183.28]:19432 "EHLO mx1.redhat.com" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1753992Ab2BGXHs (ORCPT <rfc822;linux-ext4@vger.kernel.org>); + Tue, 7 Feb 2012 18:07:48 -0500 +Original-Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) + by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q17N7dj0027622 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) + for <linux-ext4@vger.kernel.org>; Tue, 7 Feb 2012 18:07:48 -0500 +Original-Received: from liberator.sandeen.net (ovpn01.gateway.prod.ext.phx2.redhat.com [10.5.9.1]) + by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q17M7Kgt001990 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) + for <linux-ext4@vger.kernel.org>; Tue, 7 Feb 2012 17:07:21 -0500 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0) Gecko/20120129 Thunderbird/10.0 +X-Enigmail-Version: 1.3.5 +X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11 +Original-Sender: linux-ext4-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-ext4.vger.kernel.org> +X-Mailing-List: linux-ext4@vger.kernel.org +Xref: news.gmane.org gmane.comp.file-systems.ext4:30623 +Archived-At: <http://permalink.gmane.org/gmane.comp.file-systems.ext4/30623> + +journal_unmap_buffer()'s zap_buffer: code clears a lot of buffer head +state ala discard_buffer(), but does not touch _Delay or _Unwritten +as discard_buffer() does. + +This can be problematic in some areas of the ext4 code which assume +that if they have found a buffer marked unwritten or delay, then it's +a live one. Perhaps those spots should check whether it is mapped +as well, but if jbd2 is going to tear down a buffer, let's really +tear it down completely. + +Without this I get some fsx failures on sub-page-block filesystems +up until v3.2, at which point 4e96b2dbbf1d7e81f22047a50f862555a6cb87cb +and 189e868fa8fdca702eb9db9d8afc46b5cb9144c9 make the failures go +away, because buried within that large change is some more flag +clearing. I still think it's worth doing in jbd2, since +->invalidatepage leads here directly, and it's the right place +to clear away these flags. + +Signed-off-by: Eric Sandeen <sandeen@redhat.com> +Cc: stable@vger.kernel.org +--- + +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c +index 35ae096..52653306 100644 +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -1949,6 +1949,8 @@ zap_buffer_unlocked: + clear_buffer_mapped(bh); + clear_buffer_req(bh); + clear_buffer_new(bh); ++ clear_buffer_delay(bh); ++ clear_buffer_unwritten(bh); + bh->b_bdev = NULL; + return may_free; + } + + +-- +To unsubscribe from this list: send the line "unsubscribe linux-ext4" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + |