CVE-2011-4086

Published: 09 February 2012

The journal_unmap_buffer function in fs/jbd2/transaction.c in the Linux kernel before 3.3.1 does not properly handle the _Delay and _Unwritten buffer head states, which allows local users to cause a denial of service (system crash) by leveraging the presence of an ext4 filesystem that was mounted with a journal.

From the Ubuntu security team

A flaw was found in the Linux's kernels ext4 file system when mounted with a journal. A local, unprivileged user could exploit this flaw to cause a denial of service.

Status

Notes

This is sitting in Ted Ts'o's dev tree presumably waiting on the 3.4
merge window, the issue is masked from v3.2 onwards by other commits.
The commit itself is marked for stable and for now I suspect we should
wait for it.  We have no stable commit id as yet, see:
jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer
this has now appeared upstream (see below)

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4086
• https://rhn.redhat.com/errata/RHSA-2012-0107.html
• http://thread.gmane.org/gmane.comp.file-systems.ext4/30623
• https://ubuntu.com/security/notices/USN-1431-1
• https://ubuntu.com/security/notices/USN-1433-1
• https://ubuntu.com/security/notices/USN-1432-1
• https://ubuntu.com/security/notices/USN-1440-1
• https://ubuntu.com/security/notices/USN-1445-1
• https://ubuntu.com/security/notices/USN-1446-1
• https://ubuntu.com/security/notices/USN-1453-1
• https://ubuntu.com/security/notices/USN-1454-1
• https://ubuntu.com/security/notices/USN-1458-1
• NVD
• Launchpad
• Debian

Bugs

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4086
• https://launchpad.net/bugs/929781