Date: Thu, 25 Oct 2012 08:41:41 +0200 From: Petr Matousek <pmatouse@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2012-4508 -- kernel: ext4: AIO vs fallocate stale data exposure A race condition flaw has been found in the way asynchronous I/O and fallocate interacted which can lead to exposure of stale data -- that is, an extent which should have had the "uninitialized" bit set indicating that its blocks have not yet been written and thus contain data from a deleted file. An unprivileged local user could use this flaw to cause an information leak. Acknowledgements: Red Hat would like to thank Theodore Tso for reporting this issue. Upstream acknowledges Dmitry Monakhov as the original reporter. Upstream fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=dee1f973ca341c266229faa5a1a5bb268bed3531 Please see https://bugzilla.redhat.com/show_bug.cgi?id=869904#c1 for further information regarding the patch. References: https://bugzilla.redhat.com/show_bug.cgi?id=869904 Thanks, -- Petr Matousek / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ