Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAKx+4-rd1JnV+C-0kxq4NWn1N-BPOxZpE29iYsXk8Y6MqbVkAw@mail.gmail.com>
Date: Mon, 10 Jan 2022 17:49:47 +0530
From: Rohit Keshri <rkeshri@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2021-4155 kernel: xfs: raw block device data leak
 in ioctl(XFS_IOC_ALLOCSP)

Hello,

A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS
filesystem allowed for a size increase of files with unaligned size. A
local attacker could use this flaw to leak data on the XFS filesystem
otherwise not accessible to them.

#Description

(Kirill reported)
"the scenario is:

1)truncate() file by unaligned @size;
2)ioctl(XFS_IOC_ALLOCSP) to increase the file size up to 4096.

then xfs_ioc_space()->xfs_vn_setattr_size() never zeros [round_down(@size,
4096), @size]
and this raw block device data leaks away to user."

#Fix
The patch for this issue:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=983d8e60f50806f90534cc5373d0ce867e5aaf79

#CVE
Red Hat has assigned CVE-2021-4155 to this issue.
https://access.redhat.com/security/cve/CVE-2021-4155
https://bugzilla.redhat.com/show_bug.cgi?id=2034813

#Credit
Kirill Tkhai (Virtuozzo Kernel team)

Thanks,
..
Rohit Keshri / Red Hat Product Security Team
PGP: OX01BC 858A 07B7 15C8 EF33 BFE2 2EEB 0CBC 84A4 4C2D

secalert@...hat.com for urgent response

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.