CVE-2021-47114 is a vulnerability in the Linux kernel's OCFS2 (Oracle Cluster File System version 2) filesystem implementation related to the fallocate system call. The flaw arises during the handling of hole punching operations combined with inode size updates. Specifically, when fallocate punches holes out of the inode size and the original inode size (isize) lies in the middle of the last cluster, the kernel zeroes out the region from the original inode size to the end of the cluster using buffered writes. However, at this point, the inode size has not yet been updated to reflect the new size. If a writeback operation is triggered concurrently, it calls ocfs2_writepage() which in turn invokes block_write_full_page(). This function drops pages that are beyond the inode size, leading to a mismatch between the zeroed data and the inode size. The result is file corruption due to inconsistent data being written to disk. This issue was demonstrated with qemu-img version 4.2.1, where converting qcow2 images using fallocate operations caused corrupted output files. The vulnerability is rooted in the sequence of fallocate calls that first punch holes with the FALLOC_FL_KEEP_SIZE and FALLOC_FL_PUNCH_HOLE flags, then extend the inode size, but the zeroing of blocks and inode size update are not properly synchronized. The fix involves zeroing out end-of-file blocks when extending the inode size to prevent corruption. The CVSS 3.1 score is 5.5 (medium severity), reflecting a local attack vector with low complexity, requiring privileges but no user interaction, and causing availability impact (file corruption). There are no known exploits in the wild currently. This vulnerability affects Linux kernel versions containing the specified commit hashes prior to the patch. The issue is particularly relevant for systems using OCFS2 and applications like QEMU that rely on fallocate for image file manipulation.

For European organizations, the primary impact of CVE-2021-47114 is the risk of data corruption on systems using the OCFS2 filesystem, especially those running Linux kernels vulnerable to this flaw. This can lead to loss of data integrity and availability, particularly in environments where virtual machine images or large files are manipulated using fallocate, such as cloud providers, hosting services, and enterprises running virtualization infrastructure with QEMU/KVM. Corrupted disk images can cause VM failures, downtime, and potential data loss. Since the vulnerability requires local privileges, the risk is higher in multi-tenant environments or where untrusted users have some level of access. The lack of confidentiality or integrity impact reduces the risk of data leakage or unauthorized modification, but availability degradation can disrupt critical services. European organizations with infrastructure relying on OCFS2 or using QEMU for virtualization should be aware of this threat, as it can affect service reliability and operational continuity.

1. Apply the official Linux kernel patches that fix this vulnerability as soon as possible to ensure the zeroing of EOF blocks is correctly handled during fallocate operations. 2. For organizations using QEMU, upgrade to versions that do not trigger this issue or apply patches that avoid the problematic fallocate usage pattern. 3. Avoid using OCFS2 filesystem for critical workloads if patching is delayed; consider migrating to more widely used and actively maintained filesystems like ext4 or XFS. 4. Implement strict access controls to limit local user privileges, reducing the risk of exploitation by unprivileged users. 5. Monitor file system integrity and implement regular backups to detect and recover from potential corruption. 6. In virtualized environments, validate VM disk images after conversion or manipulation operations to detect corruption early. 7. Employ kernel live patching solutions where possible to minimize downtime during patch deployment.