Bug 899480 - (CVE-2014-7283) VUL-0: CVE-2014-7283: kernel: xfs: memory corruption by creating directories
(CVE-2014-7283)
VUL-0: CVE-2014-7283: kernel: xfs: memory corruption by creating directories
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Kernel Bugs
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-10-02 05:38 UTC by Marcus Meissner
Modified: 2021-04-19 11:36 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-10-02 05:38:00 UTC
via oss-sec

From: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date: Thu, 02 Oct 2014 00:05:45 +0200
Subject: [oss-security] xfs directory hash ordering bug

Hello!

Another kernel bug which did not get a CVE yet, but should be considered
to get one (sorry for the late notification):

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c88547a8119e3b581318ab65e9b72f27f23e641d

Basically it allows a local user to corrupt a xfs filesystem by just
creating directories. Depending on whether it is the root filesystem or
not the kernel panics or just oopses and forcefully disconnects the
filesystem.

The commit states that xfs_repair repairs the filesystem but IIRC
further access to that directory would still cause the kernel to either
oops or panic. So xfs_repair could not correctly fix the filesystem in
all situations. But I am not sure anymore and didn't follow up on this
(I had a relocation coming up).

My initial report here:
http://marc.info/?l=linux-xfs&m=139590613002926&w=2

Reproducer:
http://oss.sgi.com/cgi-bin/gitweb.cgi?p=xfs/cmds/xfstests.git;a=commitdiff;h=947ee8bd4b59770534297572b14c695e9c6e001e

Thanks,
Hannes
Comment 1 Michal Hocko 2014-10-02 07:18:14 UTC
3.10+ issue so not TD branch is affected.
Comment 3 Marcus Meissner 2014-10-02 08:54:09 UTC
SLE12, openSUSE 13.1, 13.2, Factory affected.
Comment 4 SMASH SMASH 2014-10-02 08:55:07 UTC
Affected packages:

SLE-12: kernel-source
Comment 5 Borislav Petkov 2014-10-02 09:31:14 UTC
Actually, SLE12 has the fix: the respective stable commit id fd4037cadecf7b5c0e288c19d958917ac1c62a83 went in in 3.12.18 stable AFAICT.
Comment 6 Swamp Workflow Management 2014-10-02 22:00:13 UTC
bugbot adjusting priority
Comment 7 Michal Marek 2014-11-07 14:22:21 UTC
The fix went into 3.15-rc1, so openSUSE 13.2 and Factory are fine. openSUSE 13.1 is indeed missing the fix.
Comment 8 Jan Kara 2014-11-10 10:27:55 UTC
Pushed to openSUSE 13.1 kernel branch. All is done so moving the bug back to security-team.
Comment 9 Marcus Meissner 2015-03-05 08:03:04 UTC
no need to continue tracking for opensuse, will be in next update