[kernel/f20] CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178)

Josh Boyer jwboyer at fedoraproject.org
Mon Feb 23 19:30:03 UTC 2015 

commit 19978814d6dbdbef2b87733ff5aeb363bf6d1f49
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Mon Feb 23 14:27:35 2015 -0500

    CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178)

 ext4-Allocate-entire-range-in-zero-range.patch | 78 ++++++++++++++++++++++++++
 kernel.spec                                    |  9 +++
 2 files changed, 87 insertions(+)
---
diff --git a/ext4-Allocate-entire-range-in-zero-range.patch b/ext4-Allocate-entire-range-in-zero-range.patch
new file mode 100644
index 0000000..fdace6d
--- /dev/null
+++ b/ext4-Allocate-entire-range-in-zero-range.patch
@@ -0,0 +1,78 @@
+From: Lukas Czerner <lczerner at redhat.com>
+Date: Wed, 18 Feb 2015 17:49:28 +0100
+Subject: [PATCH] ext4: Allocate entire range in zero range
+
+Currently there is a bug in zero range code which causes zero range
+calls to only allocate block aligned portion of the range, while
+ignoring the rest in some cases.
+
+In some cases, namely if the end of the range is past isize, we do
+attempt to preallocate the last nonaligned block. However this might
+cause kernel to BUG() in some carefully designed zero range requests on
+setups where page size > block size.
+
+Fix this problem by first preallocating the entire range, including the
+nonaligned edges and converting the written extents to unwritten in the
+next step. This approach will also give us the advantage of having the
+range to be as linearly contiguous as possible.
+
+Signed-off-by: Lukas Czerner <lczerner at redhat.com>
+---
+ fs/ext4/extents.c | 31 +++++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 0b16fb4c06d3..e3bf236a36ac 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -4792,12 +4792,6 @@ static long ext4_zero_range(struct file *file, loff_t offset,
+ 	else
+ 		max_blocks -= lblk;
+ 
+-	flags = EXT4_GET_BLOCKS_CREATE_UNWRIT_EXT |
+-		EXT4_GET_BLOCKS_CONVERT_UNWRITTEN |
+-		EXT4_EX_NOCACHE;
+-	if (mode & FALLOC_FL_KEEP_SIZE)
+-		flags |= EXT4_GET_BLOCKS_KEEP_SIZE;
+-
+ 	mutex_lock(&inode->i_mutex);
+ 
+ 	/*
+@@ -4814,15 +4808,28 @@ static long ext4_zero_range(struct file *file, loff_t offset,
+ 		ret = inode_newsize_ok(inode, new_size);
+ 		if (ret)
+ 			goto out_mutex;
+-		/*
+-		 * If we have a partial block after EOF we have to allocate
+-		 * the entire block.
+-		 */
+-		if (partial_end)
+-			max_blocks += 1;
+ 	}
+ 
++	flags = EXT4_GET_BLOCKS_CREATE_UNWRIT_EXT;
++	if (mode & FALLOC_FL_KEEP_SIZE)
++		flags |= EXT4_GET_BLOCKS_KEEP_SIZE;
++
++	/* Preallocate the range including the unaligned edges */
++	if (partial_begin || partial_end) {
++		ret = ext4_alloc_file_blocks(file,
++				round_down(offset, 1 << blkbits) >> blkbits,
++				(round_up((offset + len), 1 << blkbits) -
++				 round_down(offset, 1 << blkbits)) >> blkbits,
++				new_size, flags, mode);
++		if (ret)
++			goto out_mutex;
++
++	}
++
++	/* Zero range excluding the unaligned edges */
+ 	if (max_blocks > 0) {
++		flags |= (EXT4_GET_BLOCKS_CONVERT_UNWRITTEN |
++			  EXT4_EX_NOCACHE);
+ 
+ 		/* Now release the pages and zero block aligned part of pages*/
+ 		truncate_pagecache_range(inode, start, end - 1);
+-- 
+2.1.0
+
diff --git a/kernel.spec b/kernel.spec
index 25d945f..3b76c18 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -764,6 +764,9 @@ Patch26135: ASLR-fix-stack-randomization-on-64-bit-systems.patch
 #CVE-XXXX-XXXX rhbz 1189864 1192079
 Patch26136: vhost-scsi-potential-memory-corruption.patch
 
+#CVE-2015-0275 rhbz 1193907 1195178
+Patch26138: ext4-Allocate-entire-range-in-zero-range.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1491,6 +1494,9 @@ ApplyPatch ASLR-fix-stack-randomization-on-64-bit-systems.patch
 #CVE-XXXX-XXXX rhbz 1189864 1192079
 ApplyPatch vhost-scsi-potential-memory-corruption.patch
 
+#CVE-2015-0275 rhbz 1193907 1195178
+ApplyPatch ext4-Allocate-entire-range-in-zero-range.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2309,6 +2315,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Mon Feb 23 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178)
+
 * Mon Feb 16 2015 Josh Boyer <jwboyer at fedoraproject.org>
 - CVE-XXXX-XXXX potential memory corruption in vhost/scsi driver (rhbz 1189864 1192079)
 - CVE-2015-1593 stack ASLR integer overflow (rhbz 1192519 1192520)

More information about the scm-commits mailing list