Home page logo

oss-sec logo oss-sec mailing list archives

CVE-2012-4508 -- kernel: ext4: AIO vs fallocate stale data exposure
From: Petr Matousek <pmatouse () redhat com>
Date: Thu, 25 Oct 2012 08:41:41 +0200

A race condition flaw has been found in the way asynchronous I/O and
fallocate interacted which can lead to exposure of stale data -- that
is, an extent which should have had the "uninitialized" bit set
indicating that its blocks have not yet been written and thus contain
data from a deleted file. An unprivileged local user could use this flaw
to cause an information leak.


Red Hat would like to thank Theodore Tso for reporting this issue.
Upstream acknowledges Dmitry Monakhov as the original reporter.

Upstream fix:

Please see https://bugzilla.redhat.com/show_bug.cgi?id=869904#c1 for
further information regarding the patch.


Petr Matousek / Red Hat Security Response Team

  By Date           By Thread  

Current thread:
  • CVE-2012-4508 -- kernel: ext4: AIO vs fallocate stale data exposure Petr Matousek (Oct 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]