oss-sec mailing list archives

CVE Request -- kernel: ext4: ext4_ext_insert_extent() kernel oops

From: Petr Matousek <pmatouse () redhat com>
Date: Fri, 21 Oct 2011 15:24:30 +0200

A flaw was found in the way splitting two extents in
ext4_ext_convert_to_initialized() worked. Althrough ex has been updated
in memory, it is not dirtied both in ext4_ext_convert_to_initialized()
and ext4_ext_insert_extent(). The disk layout is corrupted. Then it
will meet with a BUG_ON() when writting at the start of that extent
again.

Local unprivileged users can use this flaw to crash the system when ext4
filesystem is in use.

Introduced in:
56055d3ae4cc7fa6d2b10885f20269de8a989ed7

Upstream fix:
667eff35a1f56fa74ce98a0c7c29a40adc1ba4e3

Credits:
Zheng Liu

References:
https://bugzilla.redhat.com/show_bug.cgi?id=747942

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team

Current thread:

CVE Request -- kernel: ext4: ext4_ext_insert_extent() kernel oops Petr Matousek (Oct 21)
- Re: CVE Request -- kernel: ext4: ext4_ext_insert_extent() kernel oops Eugene Teo (Oct 24)