[Devel] [PATCH RHEL7 COMMIT] ms/ext4: CVE-2014-8086 prevent bugon on race between write/fcntl

Konstantin Khorenko khorenko at virtuozzo.com
Wed Jun 24 03:03:15 PDT 2015


The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.17
------>
commit 7546192e5ee7539fc6f3d1c2ee7cf25acdab5936
Author: Dmitry Monakhov <dmonakhov at openvz.org>
Date:   Wed Jun 24 14:03:14 2015 +0400

    ms/ext4: CVE-2014-8086 prevent bugon on race between write/fcntl
    
    Original commit a41537e69b4aa4
    O_DIRECT flags can be toggeled via fcntl(F_SETFL). But this value checked
    twice inside ext4_file_write_iter() and __generic_file_write() which
    result in BUG_ON inside ext4_direct_IO.
    
    Let's initialize iocb->private unconditionally.
    
    TESTCASE: xfstest:generic/036  https://patchwork.ozlabs.org/patch/402445/
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1151353
    
    #TYPICAL STACK TRACE:
    kernel BUG at fs/ext4/inode.c:3165!
    invalid opcode: 0000 [#1] SMP
    Modules linked in: brd iTCO_wdt lpc_ich mfd_core igb ptp dm_mirror dm_region_hash dm_log dm_mod
    CPU: 6 PID: 5505 Comm: aio-dio-fcntl-r Not tainted 3.17.0-rc2-00176-gff5c017 #161
    Hardware name: Intel Corporation W2600CR/W2600CR, BIOS SE5C600.86B.99.99.x028.061320111235 06/13/2011
    task: ffff88080e95a7c0 ti: ffff88080f908000 task.ti: ffff88080f908000
    RIP: 0010:[<ffffffff811fabf2>]  [<ffffffff811fabf2>] ext4_direct_IO+0x162/0x3d0
    RSP: 0018:ffff88080f90bb58  EFLAGS: 00010246
    RAX: 0000000000000400 RBX: ffff88080fdb2a28 RCX: 00000000a802c818
    RDX: 0000040000080000 RSI: ffff88080d8aeb80 RDI: 0000000000000001
    RBP: ffff88080f90bbc8 R08: 0000000000000000 R09: 0000000000001581
    R10: 0000000000000000 R11: 0000000000000000 R12: ffff88080d8aeb80
    R13: ffff88080f90bbf8 R14: ffff88080fdb28c8 R15: ffff88080fdb2a28
    FS:  00007f23b2055700(0000) GS:ffff880818400000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f23b2045000 CR3: 000000080cedf000 CR4: 00000000000407e0
    Stack:
     ffff88080f90bb98 0000000000000000 7ffffffffffffffe ffff88080fdb2c30
     0000000000000200 0000000000000200 0000000000000001 0000000000000200
     ffff88080f90bbc8 ffff88080fdb2c30 ffff88080f90be08 0000000000000200
    Call Trace:
     [<ffffffff8112ca9d>] generic_file_direct_write+0xed/0x180
     [<ffffffff8112f2b2>] __generic_file_write_iter+0x222/0x370
     [<ffffffff811f495b>] ext4_file_write_iter+0x34b/0x400
     [<ffffffff811bd709>] ? aio_run_iocb+0x239/0x410
     [<ffffffff811bd709>] ? aio_run_iocb+0x239/0x410
     [<ffffffff810990e5>] ? local_clock+0x25/0x30
     [<ffffffff810abd94>] ? __lock_acquire+0x274/0x700
     [<ffffffff811f4610>] ? ext4_unwritten_wait+0xb0/0xb0
     [<ffffffff811bd756>] aio_run_iocb+0x286/0x410
     [<ffffffff810990e5>] ? local_clock+0x25/0x30
     [<ffffffff810ac359>] ? lock_release_holdtime+0x29/0x190
     [<ffffffff811bc05b>] ? lookup_ioctx+0x4b/0xf0
     [<ffffffff811bde3b>] do_io_submit+0x55b/0x740
     [<ffffffff811bdcaa>] ? do_io_submit+0x3ca/0x740
     [<ffffffff811be030>] SyS_io_submit+0x10/0x20
     [<ffffffff815ce192>] system_call_fastpath+0x16/0x1b
    Code: 01 48 8b 80 f0 01 00 00 48 8b 18 49 8b 45 10 0f 85 f1 01 00 00 48 03 45 c8 48 3b 43 48 0f 8f e3 01 00 00 49 83 7c
    24 18 00 75 04 <0f> 0b eb fe f0 ff 83 ec 01 00 00 49 8b 44 24 18 8b 00 85 c0 89
    RIP  [<ffffffff811fabf2>] ext4_direct_IO+0x162/0x3d0
     RSP <ffff88080f90bb58>
    
    Reported-by: Sasha Levin <sasha.levin at oracle.com>
    Signed-off-by: Theodore Ts'o <tytso at mit.edu>
    Signed-off-by: Dmitry Monakhov <dmonakhov at openvz.org>
    
    Cc: stable at vger.kernel.org
---
 fs/ext4/file.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/ext4/file.c b/fs/ext4/file.c
index 2ba3bec..160fceb 100644
--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -172,6 +172,7 @@ ext4_file_write(struct kiocb *iocb, const struct iovec *iov,
 {
 	struct inode *inode = file_inode(iocb->ki_filp);
 	ssize_t ret;
+	int overwrite = 0;
 
 	/*
 	 * If we have encountered a bitmap-format file, the size limit
@@ -192,6 +193,8 @@ ext4_file_write(struct kiocb *iocb, const struct iovec *iov,
 		}
 	}
 
+	iocb->private = &overwrite;
+
 	if (unlikely(iocb->ki_filp->f_flags & O_DIRECT))
 		ret = ext4_file_dio_write(iocb, iov, nr_segs, pos);
 	else



More information about the Devel mailing list