1.6 KiB
CVE-2021-47114
Description
In the Linux kernel, the following vulnerability has been resolved:ocfs2: fix data corruption by fallocateWhen fallocate punches holes out of inode size, if original isize is inthe middle of last cluster, then the part from isize to the end of thecluster will be zeroed with buffer write, at that time isize is not yetupdated to match the new size, if writeback is kicked in, it will invokeocfs2_writepage()->block_write_full_page() where the pages out of inodesize will be dropped. That will cause file corruption. Fix this byzero out eof blocks when extending the inode size.Running the following command with qemu-image 4.2.1 can get a corruptedcoverted image file easily. qemu-img convert -p -t none -T none -f qcow2 $qcow_image \ -O qcow2 -o compat=1.1 $qcow_image.convThe usage of fallocate in qemu is like this, it first punches holes outof inode size, then extend the inode size. fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2276196352, 65536) = 0 fallocate(11, 0, 2276196352, 65536) = 0v1: https://www.spinics.net/lists/linux-fsdevel/msg193999.htmlv2: https://lore.kernel.org/linux-fsdevel/20210525093034.GB4112@quack2.suse.cz/T/
POC
Reference
No PoCs from references.