A vulnerability (CVE-2021-4155) has been discovered in the XFS file system code that allows a local unprivileged user to read unused block data directly from a block device. All major versions of the Linux kernel older than 5.16 that contain the XFS driver are affected by this issue. The fix was included in version 5.16, as well as kernel updates 5.15.14, 5.10.91, 5.4.171, 4.19.225, etc. The status of the generation of updates with the elimination of the problem in distributions can be tracked on these pages: Debian, RHEL, SUSE, Fedora, Ubuntu, Arch.
The vulnerability is caused by the incorrect behavior of two XFS-specific ioctl(XFS_IOC_ALLOCSP) and ioctl(XFS_IOC_FREESP), which are the functional analogue of the fallocate() kernel-wide system call. When increasing a file size that is not block-aligned, the XFS_IOC_ALLOCSP/XFS_IOC_FREESP ioctls do not reset the tail bytes until the next block boundary. Thus, on an XFS with a standard block size of 4096 bytes, an attacker can read up to 4095 bytes of previous written data from each block. These areas can contain data from deleted files, defragmented files, and files with deduplicated blocks.
You can check your system for a problem with a simple exploit prototype. If, after executing the proposed sequence of commands, it is possible to read Shakespeare's text, then the FS driver is vulnerable. The initial mounting of the XFS partition for the demonstration requires superuser rights.
Since ioctl(XFS_IOC_ALLOCSP) and ioctl(XFS_IOC_FREESP) are almost identical in functionality to the standard fallocate(), and their only difference is data leakage, their presence is like a backdoor. Despite the general policy of not changing existing interfaces in the kernel, at the suggestion of Linus, the decision has been made to completely remove these ioctls in the next version.
Source: opennet.ru