[kernel/f21] CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178)

Josh Boyer jwboyer at fedoraproject.org
Mon Feb 23 19:30:52 UTC 2015 

commit 20c2f18ff6941a38b5820daa46ea48ed854ccef2
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Mon Feb 23 14:27:35 2015 -0500

    CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178)

 Kbuild-Add-an-option-to-enable-GCC-VTA.patch       |  2 +-
 ext4-Allocate-entire-range-in-zero-range.patch     | 78 ++++++++++++++++++++++
 kernel.spec                                        |  9 +++
 ...sd_revalidate_disk-prevent-NULL-ptr-deref.patch |  2 +-
 uas-Do-not-blacklist-ASM1153-disk-enclosures.patch |  2 +-
 5 files changed, 90 insertions(+), 3 deletions(-)
---
diff --git a/Kbuild-Add-an-option-to-enable-GCC-VTA.patch b/Kbuild-Add-an-option-to-enable-GCC-VTA.patch
index 09cbdb0..91cd1d0 100644
--- a/Kbuild-Add-an-option-to-enable-GCC-VTA.patch
+++ b/Kbuild-Add-an-option-to-enable-GCC-VTA.patch
@@ -43,7 +43,7 @@ Signed-off-by: Josh Stone <jistone at redhat.com>
  2 files changed, 21 insertions(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index 6276fcaabf21..fda7c73b428f 100644
+index 0efae2279fbe..9eb829052936 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -704,7 +704,11 @@ KBUILD_CFLAGS	+= -fomit-frame-pointer
diff --git a/ext4-Allocate-entire-range-in-zero-range.patch b/ext4-Allocate-entire-range-in-zero-range.patch
new file mode 100644
index 0000000..fdace6d
--- /dev/null
+++ b/ext4-Allocate-entire-range-in-zero-range.patch
@@ -0,0 +1,78 @@
+From: Lukas Czerner <lczerner at redhat.com>
+Date: Wed, 18 Feb 2015 17:49:28 +0100
+Subject: [PATCH] ext4: Allocate entire range in zero range
+
+Currently there is a bug in zero range code which causes zero range
+calls to only allocate block aligned portion of the range, while
+ignoring the rest in some cases.
+
+In some cases, namely if the end of the range is past isize, we do
+attempt to preallocate the last nonaligned block. However this might
+cause kernel to BUG() in some carefully designed zero range requests on
+setups where page size > block size.
+
+Fix this problem by first preallocating the entire range, including the
+nonaligned edges and converting the written extents to unwritten in the
+next step. This approach will also give us the advantage of having the
+range to be as linearly contiguous as possible.
+
+Signed-off-by: Lukas Czerner <lczerner at redhat.com>
+---
+ fs/ext4/extents.c | 31 +++++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 0b16fb4c06d3..e3bf236a36ac 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -4792,12 +4792,6 @@ static long ext4_zero_range(struct file *file, loff_t offset,
+ 	else
+ 		max_blocks -= lblk;
+ 
+-	flags = EXT4_GET_BLOCKS_CREATE_UNWRIT_EXT |
+-		EXT4_GET_BLOCKS_CONVERT_UNWRITTEN |
+-		EXT4_EX_NOCACHE;
+-	if (mode & FALLOC_FL_KEEP_SIZE)
+-		flags |= EXT4_GET_BLOCKS_KEEP_SIZE;
+-
+ 	mutex_lock(&inode->i_mutex);
+ 
+ 	/*
+@@ -4814,15 +4808,28 @@ static long ext4_zero_range(struct file *file, loff_t offset,
+ 		ret = inode_newsize_ok(inode, new_size);
+ 		if (ret)
+ 			goto out_mutex;
+-		/*
+-		 * If we have a partial block after EOF we have to allocate
+-		 * the entire block.
+-		 */
+-		if (partial_end)
+-			max_blocks += 1;
+ 	}
+ 
++	flags = EXT4_GET_BLOCKS_CREATE_UNWRIT_EXT;
++	if (mode & FALLOC_FL_KEEP_SIZE)
++		flags |= EXT4_GET_BLOCKS_KEEP_SIZE;
++
++	/* Preallocate the range including the unaligned edges */
++	if (partial_begin || partial_end) {
++		ret = ext4_alloc_file_blocks(file,
++				round_down(offset, 1 << blkbits) >> blkbits,
++				(round_up((offset + len), 1 << blkbits) -
++				 round_down(offset, 1 << blkbits)) >> blkbits,
++				new_size, flags, mode);
++		if (ret)
++			goto out_mutex;
++
++	}
++
++	/* Zero range excluding the unaligned edges */
+ 	if (max_blocks > 0) {
++		flags |= (EXT4_GET_BLOCKS_CONVERT_UNWRITTEN |
++			  EXT4_EX_NOCACHE);
+ 
+ 		/* Now release the pages and zero block aligned part of pages*/
+ 		truncate_pagecache_range(inode, start, end - 1);
+-- 
+2.1.0
+
diff --git a/kernel.spec b/kernel.spec
index 82fdb79..1816eb3 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -647,6 +647,9 @@ Patch26135: ASLR-fix-stack-randomization-on-64-bit-systems.patch
 #CVE-XXXX-XXXX rhbz 1189864 1192079
 Patch26136: vhost-scsi-potential-memory-corruption.patch
 
+#CVE-2015-0275 rhbz 1193907 1195178
+Patch26138: ext4-Allocate-entire-range-in-zero-range.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1399,6 +1402,9 @@ ApplyPatch ASLR-fix-stack-randomization-on-64-bit-systems.patch
 #CVE-XXXX-XXXX rhbz 1189864 1192079
 ApplyPatch vhost-scsi-potential-memory-corruption.patch
 
+#CVE-2015-0275 rhbz 1193907 1195178
+ApplyPatch ext4-Allocate-entire-range-in-zero-range.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2269,6 +2275,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Mon Feb 23 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178)
+
 * Fri Feb 20 2015 Josh Boyer <jwboyer at fedoraproject.org>
 - Move mtpspi and related mods to kernel-core for VMWare guests (rhbz 1194612)
 
diff --git a/scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch b/scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch
index 6253005..3176c9e 100644
--- a/scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch
+++ b/scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch
@@ -9,7 +9,7 @@ Upstream-status: Fedora mustard (might be worth dropping...)
  1 file changed, 6 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
-index cfba74cd8e8b..5127df3cc064 100644
+index dd8c8d690763..100e6a54264d 100644
 --- a/drivers/scsi/sd.c
 +++ b/drivers/scsi/sd.c
 @@ -2768,13 +2768,18 @@ static int sd_try_extended_inquiry(struct scsi_device *sdp)
diff --git a/uas-Do-not-blacklist-ASM1153-disk-enclosures.patch b/uas-Do-not-blacklist-ASM1153-disk-enclosures.patch
index e04af30..b8fc76f 100644
--- a/uas-Do-not-blacklist-ASM1153-disk-enclosures.patch
+++ b/uas-Do-not-blacklist-ASM1153-disk-enclosures.patch
@@ -71,7 +71,7 @@ index 8a6f371ed6e7..9893d696fc97 100644
  		}
  	}
 diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h
-index 1f430bb02ca1..9ec4561f6c2c 100644
+index 2706a434fdbb..da3d98c72db1 100644
 --- a/drivers/usb/storage/unusual_uas.h
 +++ b/drivers/usb/storage/unusual_uas.h
 @@ -110,14 +110,6 @@ UNUSUAL_DEV(0x152d, 0x0567, 0x0000, 0x9999,

More information about the scm-commits mailing list