[kernel/f21] CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178)
Josh Boyer
jwboyer at fedoraproject.org
Mon Feb 23 19:30:52 UTC 2015
commit 20c2f18ff6941a38b5820daa46ea48ed854ccef2
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Mon Feb 23 14:27:35 2015 -0500
CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178)
Kbuild-Add-an-option-to-enable-GCC-VTA.patch | 2 +-
ext4-Allocate-entire-range-in-zero-range.patch | 78 ++++++++++++++++++++++
kernel.spec | 9 +++
...sd_revalidate_disk-prevent-NULL-ptr-deref.patch | 2 +-
uas-Do-not-blacklist-ASM1153-disk-enclosures.patch | 2 +-
5 files changed, 90 insertions(+), 3 deletions(-)
---
diff --git a/Kbuild-Add-an-option-to-enable-GCC-VTA.patch b/Kbuild-Add-an-option-to-enable-GCC-VTA.patch
index 09cbdb0..91cd1d0 100644
--- a/Kbuild-Add-an-option-to-enable-GCC-VTA.patch
+++ b/Kbuild-Add-an-option-to-enable-GCC-VTA.patch
@@ -43,7 +43,7 @@ Signed-off-by: Josh Stone <jistone at redhat.com>
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
-index 6276fcaabf21..fda7c73b428f 100644
+index 0efae2279fbe..9eb829052936 100644
--- a/Makefile
+++ b/Makefile
@@ -704,7 +704,11 @@ KBUILD_CFLAGS += -fomit-frame-pointer
diff --git a/ext4-Allocate-entire-range-in-zero-range.patch b/ext4-Allocate-entire-range-in-zero-range.patch
new file mode 100644
index 0000000..fdace6d
--- /dev/null
+++ b/ext4-Allocate-entire-range-in-zero-range.patch
@@ -0,0 +1,78 @@
+From: Lukas Czerner <lczerner at redhat.com>
+Date: Wed, 18 Feb 2015 17:49:28 +0100
+Subject: [PATCH] ext4: Allocate entire range in zero range
+
+Currently there is a bug in zero range code which causes zero range
+calls to only allocate block aligned portion of the range, while
+ignoring the rest in some cases.
+
+In some cases, namely if the end of the range is past isize, we do
+attempt to preallocate the last nonaligned block. However this might
+cause kernel to BUG() in some carefully designed zero range requests on
+setups where page size > block size.
+
+Fix this problem by first preallocating the entire range, including the
+nonaligned edges and converting the written extents to unwritten in the
+next step. This approach will also give us the advantage of having the
+range to be as linearly contiguous as possible.
+
+Signed-off-by: Lukas Czerner <lczerner at redhat.com>
+---
+ fs/ext4/extents.c | 31 +++++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 0b16fb4c06d3..e3bf236a36ac 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -4792,12 +4792,6 @@ static long ext4_zero_range(struct file *file, loff_t offset,
+ else
+ max_blocks -= lblk;
+
+- flags = EXT4_GET_BLOCKS_CREATE_UNWRIT_EXT |
+- EXT4_GET_BLOCKS_CONVERT_UNWRITTEN |
+- EXT4_EX_NOCACHE;
+- if (mode & FALLOC_FL_KEEP_SIZE)
+- flags |= EXT4_GET_BLOCKS_KEEP_SIZE;
+-
+ mutex_lock(&inode->i_mutex);
+
+ /*
+@@ -4814,15 +4808,28 @@ static long ext4_zero_range(struct file *file, loff_t offset,
+ ret = inode_newsize_ok(inode, new_size);
+ if (ret)
+ goto out_mutex;
+- /*
+- * If we have a partial block after EOF we have to allocate
+- * the entire block.
+- */
+- if (partial_end)
+- max_blocks += 1;
+ }
+
++ flags = EXT4_GET_BLOCKS_CREATE_UNWRIT_EXT;
++ if (mode & FALLOC_FL_KEEP_SIZE)
++ flags |= EXT4_GET_BLOCKS_KEEP_SIZE;
++
++ /* Preallocate the range including the unaligned edges */
++ if (partial_begin || partial_end) {
++ ret = ext4_alloc_file_blocks(file,
++ round_down(offset, 1 << blkbits) >> blkbits,
++ (round_up((offset + len), 1 << blkbits) -
++ round_down(offset, 1 << blkbits)) >> blkbits,
++ new_size, flags, mode);
++ if (ret)
++ goto out_mutex;
++
++ }
++
++ /* Zero range excluding the unaligned edges */
+ if (max_blocks > 0) {
++ flags |= (EXT4_GET_BLOCKS_CONVERT_UNWRITTEN |
++ EXT4_EX_NOCACHE);
+
+ /* Now release the pages and zero block aligned part of pages*/
+ truncate_pagecache_range(inode, start, end - 1);
+--
+2.1.0
+
diff --git a/kernel.spec b/kernel.spec
index 82fdb79..1816eb3 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -647,6 +647,9 @@ Patch26135: ASLR-fix-stack-randomization-on-64-bit-systems.patch
#CVE-XXXX-XXXX rhbz 1189864 1192079
Patch26136: vhost-scsi-potential-memory-corruption.patch
+#CVE-2015-0275 rhbz 1193907 1195178
+Patch26138: ext4-Allocate-entire-range-in-zero-range.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1399,6 +1402,9 @@ ApplyPatch ASLR-fix-stack-randomization-on-64-bit-systems.patch
#CVE-XXXX-XXXX rhbz 1189864 1192079
ApplyPatch vhost-scsi-potential-memory-corruption.patch
+#CVE-2015-0275 rhbz 1193907 1195178
+ApplyPatch ext4-Allocate-entire-range-in-zero-range.patch
+
%if 0%{?aarch64patches}
ApplyPatch kernel-arm64.patch
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2269,6 +2275,9 @@ fi
# ||----w |
# || ||
%changelog
+* Mon Feb 23 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178)
+
* Fri Feb 20 2015 Josh Boyer <jwboyer at fedoraproject.org>
- Move mtpspi and related mods to kernel-core for VMWare guests (rhbz 1194612)
diff --git a/scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch b/scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch
index 6253005..3176c9e 100644
--- a/scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch
+++ b/scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch
@@ -9,7 +9,7 @@ Upstream-status: Fedora mustard (might be worth dropping...)
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
-index cfba74cd8e8b..5127df3cc064 100644
+index dd8c8d690763..100e6a54264d 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -2768,13 +2768,18 @@ static int sd_try_extended_inquiry(struct scsi_device *sdp)
diff --git a/uas-Do-not-blacklist-ASM1153-disk-enclosures.patch b/uas-Do-not-blacklist-ASM1153-disk-enclosures.patch
index e04af30..b8fc76f 100644
--- a/uas-Do-not-blacklist-ASM1153-disk-enclosures.patch
+++ b/uas-Do-not-blacklist-ASM1153-disk-enclosures.patch
@@ -71,7 +71,7 @@ index 8a6f371ed6e7..9893d696fc97 100644
}
}
diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h
-index 1f430bb02ca1..9ec4561f6c2c 100644
+index 2706a434fdbb..da3d98c72db1 100644
--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -110,14 +110,6 @@ UNUSUAL_DEV(0x152d, 0x0567, 0x0000, 0x9999,
More information about the scm-commits
mailing list