Bug 919032 (CVE-2015-0275)

Summary: VUL-0: CVE-2015-0275: kernel: fs: ext4: fallocate zero range page size > block size BUG()
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: bpetkov, mhocko, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/114155/
Whiteboard: CVSSv2:RedHat:CVE-2015-0275:4.7:(AV:L/AC:M/Au:N/C:N/I:N/A:C) CVSSv2:NVD:CVE-2015-0275:4.9:(AV:L/AC:L/Au:N/C:N/I:N/A:C)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2015-02-23 11:28:48 UTC 
OSS:2015/Q1/661

Currently there is a bug in zero range code which causes zero range
calls to only allocate block aligned portion of the range, while
ignoring the rest in some cases.

In some cases, namely if the end of the range is past isize, we do
attempt to preallocate the last nonaligned block. However this might
cause kernel to BUG() in some carefully designed zero range requests on
setups where page size > block size.

Fix: http://www.spinics.net/lists/linux-ext4/msg47193.html

References:
http://www.spinics.net/lists/linux-ext4/msg47193.html
https://bugzilla.redhat.com/show_bug.cgi?id=1193907
http://seclists.org/oss-sec/2015/q1/661
Comment 1 Swamp Workflow Management 2015-02-23 23:01:05 UTC 
bugbot adjusting priority
Comment 2 Jan Kara 2015-04-08 13:19:37 UTC 
Zero range functionality has been added in kernel 3.15-rc1. Thus the only affected branch is openSUSE-13.2. I've pushed the fix there so the bug is done from my side.

Reassigning to security team for tracking.
Comment 3 Marcus Meissner 2016-03-23 08:28:13 UTC 
done