CVE-2021-47114 in Linux
Summary
by MITRE • 03/15/2024
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix data corruption by fallocate
When fallocate punches holes out of inode size, if original isize is in the middle of last cluster, then the part from isize to the end of the cluster will be zeroed with buffer write, at that time isize is not yet updated to match the new size, if writeback is kicked in, it will invoke ocfs2_writepage()->block_write_full_page() where the pages out of inode size will be dropped. That will cause file corruption. Fix this by zero out eof blocks when extending the inode size.
Running the following command with qemu-image 4.2.1 can get a corrupted coverted image file easily.
qemu-img convert -p -t none -T none -f qcow2 $qcow_image \ -O qcow2 -o compat=1.1 $qcow_image.conv
The usage of fallocate in qemu is like this, it first punches holes out of inode size, then extend the inode size.
fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2276196352, 65536) = 0 fallocate(11, 0, 2276196352, 65536) = 0
v1: https://www.spinics.net/lists/linux-fsdevel/msg193999.html v2: https://lore.kernel.org/linux-fsdevel/[email protected]/T/
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/21/2025
The vulnerability described in CVE-2021-47114 represents a critical data corruption issue within the Linux kernel's ocfs2 (Oracle Cluster File System 2) implementation that arises from improper handling of file allocation operations. This flaw specifically manifests when the fallocate system call is used to punch holes in files while simultaneously extending their size, creating a race condition between buffer write operations and inode size updates. The issue occurs in the context of cluster-based file systems where data is organized in fixed-size blocks, and the timing of operations can lead to inconsistent states between what the system believes the file size should be and what actually exists on disk.
The technical root cause stems from a race condition in the ocfs2 file system driver where the fallocate operation performs two distinct steps that are not properly synchronized. First, it punches holes out of the inode size using FALLOC_FL_PUNCH_HOLE flag, which zeros out data in the affected regions. However, at this point, the inode's internal size tracking (isize) has not yet been updated to reflect the new file dimensions. When the subsequent buffer write operations occur, they operate on data that has been zeroed but where the inode size still references the old boundaries. This mismatch causes the file system to treat data that should be part of the extended file as if it were outside the valid file boundaries, leading to corruption when writeback processes attempt to handle these pages.
The operational impact of this vulnerability extends beyond simple data loss, affecting the integrity of virtual machine disk images and potentially compromising entire virtualization environments. The specific scenario described involves the qemu-img conversion utility which is widely used in cloud computing and virtualization platforms. When qemu uses fallocate with the combination of FALLOC_FL_KEEP_SIZE and FALLOC_FL_PUNCH_HOLE flags followed by a standard fallocate call to extend the file size, it triggers this race condition. The vulnerability is particularly concerning because it can silently corrupt data without generating error messages, making detection difficult and potentially leading to system instability or data loss in production environments.
The fix implemented addresses this issue by ensuring that end-of-file blocks are properly zeroed when extending inode size, rather than allowing the race condition to occur. This solution aligns with the principles of proper resource management and atomic operations in file system design. The vulnerability demonstrates the importance of maintaining consistency between metadata and actual data in cluster-based file systems, as outlined in CWE-116 for improper encoding and CWE-362 for race conditions. The attack pattern follows techniques similar to those described in ATT&CK framework under T1486 for data manipulation and T1070 for indicator removal, where the corruption occurs without obvious signs of compromise. Organizations using ocfs2 file systems, particularly those running virtualization infrastructure, should prioritize applying this kernel patch to prevent potential data corruption scenarios that could affect critical workloads and virtual machine disk images.