Linux Kernel Ext4 Unwritten Extent Handling Vulnerability

A vulnerability in the Linux kernel's ext4 file system can lead to improper management of unwritten extents. When an unwritten extent is split and converted to an initialized state, it may leave behind a stale unwritten extent. This issue arises in scenarios where there is a buffered write in the middle of an unwritten file, without the 'dioread_nolock' option enabled. The problem occurs because the extent handling function, 'ext4_split_extent()', fails to split the extent at the desired point due to temporary space constraints. As a result, the function zeros out part of the extent but leaves the entire extent marked as unwritten. Later, when the extent is successfully split, only the newly written portion is updated in the extent status tree, leaving a stale unwritten entry. This vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to the presence of stale unwritten extents in the extent status tree, potentially causing inconsistencies in file data management.

Reproduction

To reproduce this vulnerability, create an unwritten file in the ext4 file system and initiate a buffered write in the middle of the file without 'dioread_nolock' enabled. This will cause the file system to allocate blocks as written extents. Next, attempt to split an unwritten extent at a point where the write has occurred, using the 'EXT4_EXT_MAY_ZEROOUT' and 'EXT4_EXT_DATA_VALID2' flags. The split will fail due to lack of space, prompting the file system to zero out part of the extent and leave it unwritten. When the extent is finally split successfully, the status tree will only reflect the written portion, leaving a stale unwritten extent entry.

Remediation

The vulnerability has been addressed in Linux kernel commits 6d882ea3b0931b43530d44149b79fcd4ffc13030, a1b962a821e7a52d48212ae269b45808b4411267, d8ee559fccdef713f058cfe5f2c03dc9b18be3b1 and f0931a5c17005a0c4fc35bd1a001245effc3354b. Users should upgrade to the latest version of the Linux kernel to apply this fix.