[kernel/f20] CVE-2014-8086 ext4: race condition (rhbz 1151353 1152608)
Josh Boyer
jwboyer at fedoraproject.org
Fri Oct 17 19:29:09 UTC 2014
commit 8c3de309e0cd9afef0c9885c33232ce8c1c3920f
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Fri Oct 17 15:13:19 2014 -0400
CVE-2014-8086 ext4: race condition (rhbz 1151353 1152608)
...-fix-race-between-write-and-fcntl-F_SETFL.patch | 179 ++++++++++++++++++++
kernel.spec | 11 +-
2 files changed, 189 insertions(+), 1 deletions(-)
---
diff --git a/ext4-fix-race-between-write-and-fcntl-F_SETFL.patch b/ext4-fix-race-between-write-and-fcntl-F_SETFL.patch
new file mode 100644
index 0000000..a8a2f5d
--- /dev/null
+++ b/ext4-fix-race-between-write-and-fcntl-F_SETFL.patch
@@ -0,0 +1,179 @@
+From: Dmitry Monakhov <dmonakhov at xxxxxxxx>
+Date: Thu, 9 Oct 2014 15:14:47 +0400
+Subject: [PATCH] ext4: fix race between write and fcntl(F_SETFL)
+
+O_DIRECT flags can be toggeled via fcntl(F_SETFL).
+But this value checked twice inside ext4_file_write_iter() and __generic_file_write()
+which result in BUG_ON (see typical stack trace below)
+In order to fix this we have to use our own copy of __generic_file_write and
+pass o_direct status explicitly.
+
+TESTCASE: xfstest:generic/326 (http://patchwork.ozlabs.org/patch/397949/)
+
+kernel BUG at fs/ext4/inode.c:2960!
+invalid opcode: 0000 [#1] SMP
+Modules linked in: brd iTCO_wdt lpc_ich mfd_core igb ptp dm_mirror dm_region_hash dm_log dm_mod
+CPU: 6 PID: 5505 Comm: aio-dio-fcntl-r Not tainted 3.17.0-rc2-00176-gff5c017 #161
+Hardware name: Intel Corporation W2600CR/W2600CR, BIOS SE5C600.86B.99.99.x028.061320111235 06/13/2011
+task: ffff88080e95a7c0 ti: ffff88080f908000 task.ti: ffff88080f908000
+RIP: 0010:[<ffffffff811fabf2>] [<ffffffff811fabf2>] ext4_direct_IO+0x162/0x3d0
+RSP: 0018:ffff88080f90bb58 EFLAGS: 00010246
+RAX: 0000000000000400 RBX: ffff88080fdb2a28 RCX: 00000000a802c818
+RDX: 0000040000080000 RSI: ffff88080d8aeb80 RDI: 0000000000000001
+RBP: ffff88080f90bbc8 R08: 0000000000000000 R09: 0000000000001581
+R10: 0000000000000000 R11: 0000000000000000 R12: ffff88080d8aeb80
+R13: ffff88080f90bbf8 R14: ffff88080fdb28c8 R15: ffff88080fdb2a28
+FS: 00007f23b2055700(0000) GS:ffff880818400000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f23b2045000 CR3: 000000080cedf000 CR4: 00000000000407e0
+Stack:
+ ffff88080f90bb98 0000000000000000 7ffffffffffffffe ffff88080fdb2c30
+ 0000000000000200 0000000000000200 0000000000000001 0000000000000200
+ ffff88080f90bbc8 ffff88080fdb2c30 ffff88080f90be08 0000000000000200
+Call Trace:
+ [<ffffffff8112ca9d>] generic_file_direct_write+0xed/0x180
+ [<ffffffff8112f2b2>] __generic_file_write_iter+0x222/0x370
+ [<ffffffff811f495b>] ext4_file_write_iter+0x34b/0x400
+ [<ffffffff811bd709>] ? aio_run_iocb+0x239/0x410
+ [<ffffffff811bd709>] ? aio_run_iocb+0x239/0x410
+ [<ffffffff810990e5>] ? local_clock+0x25/0x30
+ [<ffffffff810abd94>] ? __lock_acquire+0x274/0x700
+ [<ffffffff811f4610>] ? ext4_unwritten_wait+0xb0/0xb0
+ [<ffffffff811bd756>] aio_run_iocb+0x286/0x410
+ [<ffffffff810990e5>] ? local_clock+0x25/0x30
+ [<ffffffff810ac359>] ? lock_release_holdtime+0x29/0x190
+ [<ffffffff811bc05b>] ? lookup_ioctx+0x4b/0xf0
+ [<ffffffff811bde3b>] do_io_submit+0x55b/0x740
+ [<ffffffff811bdcaa>] ? do_io_submit+0x3ca/0x740
+ [<ffffffff811be030>] SyS_io_submit+0x10/0x20
+ [<ffffffff815ce192>] system_call_fastpath+0x16/0x1b
+Code: 01 48 8b 80 f0 01 00 00 48 8b 18 49 8b 45 10 0f 85 f1 01 00 00 48 03 45 c8 48 3b 43 48 0f 8f e3 01 00 00 49 83 7c 24 18 00 75 04 <0f> 0b eb fe f0 ff 83 ec 01 00 00 49 8b 44 24 18 8b 00 85 c0 89
+RIP [<ffffffff811fabf2>] ext4_direct_IO+0x162/0x3d0
+ RSP <ffff88080f90bb58>
+
+Upstream-status: Submitted but likely not accepted
+Bugzilla: 1152608
+
+Reported-by: Sasha Levin <sasha.levin at xxxxxxxxxx>
+Signed-off-by: Dmitry Monakhov <dmonakhov at xxxxxxxxxx>
+---
+ fs/ext4/file.c | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 95 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/file.c b/fs/ext4/file.c
+index aca7b24a4432..8477eb259809 100644
+--- a/fs/ext4/file.c
++++ b/fs/ext4/file.c
+@@ -88,6 +88,100 @@ ext4_unaligned_aio(struct inode *inode, struct iov_iter *from, loff_t pos)
+ return 0;
+ }
+
++/**
++ * copy of __generic_file_write_iter with explicit O_DIRECT status
++ * @iocb: IO state structure (file, offset, etc.)
++ * @from: iov_iter with data to write
++ * @direct: perform O_DIRECT IO
++ */
++static ssize_t
++__ext4_file_write_iter(struct kiocb *iocb, struct iov_iter *from, int direct)
++{
++ struct file *file = iocb->ki_filp;
++ struct address_space *mapping = file->f_mapping;
++ struct inode *inode = mapping->host;
++ loff_t pos = iocb->ki_pos;
++ ssize_t written = 0;
++ ssize_t err;
++ ssize_t status;
++ size_t count = iov_iter_count(from);
++
++ /* We can write back this queue in page reclaim */
++ current->backing_dev_info = mapping->backing_dev_info;
++ err = generic_write_checks(file, &pos, &count, S_ISBLK(inode->i_mode));
++ if (err)
++ goto out;
++
++ if (count == 0)
++ goto out;
++
++ iov_iter_truncate(from, count);
++
++ err = file_remove_suid(file);
++ if (err)
++ goto out;
++
++ err = file_update_time(file);
++ if (err)
++ goto out;
++
++ /* coalesce the iovecs and go direct-to-BIO for O_DIRECT */
++ if (unlikely(direct)) {
++ loff_t endbyte;
++
++ written = generic_file_direct_write(iocb, from, pos);
++ if (written < 0 || written == count)
++ goto out;
++
++ /*
++ * direct-io write to a hole: fall through to buffered I/O
++ * for completing the rest of the request.
++ */
++ pos += written;
++ count -= written;
++
++ status = generic_perform_write(file, from, pos);
++ /*
++ * If generic_perform_write() returned a synchronous error
++ * then we want to return the number of bytes which were
++ * direct-written, or the error code if that was zero. Note
++ * that this differs from normal direct-io semantics, which
++ * will return -EFOO even if some bytes were written.
++ */
++ if (unlikely(status < 0)) {
++ err = status;
++ goto out;
++ }
++ iocb->ki_pos = pos + status;
++ /*
++ * We need to ensure that the page cache pages are written to
++ * disk and invalidated to preserve the expected O_DIRECT
++ * semantics.
++ */
++ endbyte = pos + status - 1;
++ err = filemap_write_and_wait_range(file->f_mapping, pos,
++ endbyte);
++ if (err == 0) {
++ written += status;
++ invalidate_mapping_pages(mapping,
++ pos >> PAGE_CACHE_SHIFT,
++ endbyte >> PAGE_CACHE_SHIFT);
++ } else {
++ /*
++ * We don't know how much we wrote, so just return
++ * the number of bytes which were direct-written
++ */
++ }
++ } else {
++ written = generic_perform_write(file, from, pos);
++ if (likely(written >= 0))
++ iocb->ki_pos = pos + written;
++ }
++out:
++ current->backing_dev_info = NULL;
++ return written ? written : err;
++}
++
+ static ssize_t
+ ext4_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
+ {
+@@ -172,7 +266,7 @@ ext4_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
+ }
+ }
+
+- ret = __generic_file_write_iter(iocb, from);
++ ret = __ext4_file_write_iter(iocb, from, o_direct);
+ mutex_unlock(&inode->i_mutex);
+
+ if (ret > 0) {
+--
+1.9.3
+
diff --git a/kernel.spec b/kernel.spec
index 54ca4ab..3fcb275 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 200
+%global baserelease 201
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -736,6 +736,9 @@ Patch26041: HID-usbhid-always-poll-quirk-for-Elan-Touchscreen-01.patch
#CVE-2014-7975 rhbz 1151108 1152025
Patch26042: fs-Add-a-missing-permission-check-to-do_umount.patch
+#CVE-2014-8086 rhbz 1151353 1152608
+Patch26056: ext4-fix-race-between-write-and-fcntl-F_SETFL.patch
+
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
Patch30000: kernel-arm64.patch
@@ -1440,6 +1443,9 @@ ApplyPatch HID-usbhid-always-poll-quirk-for-Elan-Touchscreen-01.patch
#CVE-2014-7975 rhbz 1151108 1152025
ApplyPatch fs-Add-a-missing-permission-check-to-do_umount.patch
+#CVE-2014-8086 rhbz 1151353 1152608
+ApplyPatch ext4-fix-race-between-write-and-fcntl-F_SETFL.patch
+
%if 0%{?aarch64patches}
ApplyPatch kernel-arm64.patch
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2258,6 +2264,9 @@ fi
# ||----w |
# || ||
%changelog
+* Fri Oct 17 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-8086 ext4: race condition (rhbz 1151353 1152608)
+
* Wed Oct 15 2014 Justin M. Forbes <jforbes at fedoraproject.org> - 3.16.6-200
- Linux v3.16.6
More information about the scm-commits
mailing list