From: Adrian Bunk <bunk@kernel.org>
To: Hugh Dickins <hugh@veritas.com>
Cc: Chuck Ebbert <cebbert@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Willy Tarreau <wtarreau@hera.kernel.org>,
stable@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] tmpfs: restore missing clear_highpage
Date: Sat, 15 Dec 2007 01:13:31 +0100 [thread overview]
Message-ID: <20071215001331.GC5403@stusta.de> (raw)
In-Reply-To: <Pine.LNX.4.64.0712120434410.9566@blonde.wat.veritas.com>
On Wed, Dec 12, 2007 at 05:01:51AM +0000, Hugh Dickins wrote:
> On Tue, 11 Dec 2007, Chuck Ebbert wrote:
> > On 11/28/2007 01:55 PM, Hugh Dickins wrote:
> > > tmpfs was misconverted to __GFP_ZERO in 2.6.11. There's an unusual case in
> > > which shmem_getpage receives the page from its caller instead of allocating.
> > > We must cover this case by clear_highpage before SetPageUptodate, as before.
> > >
> > > Signed-off-by: Hugh Dickins <hugh@veritas.com>
> > > ---
> >
> > What are the symptoms of the bug this fixes?
>
> I've not seen it in practice, just noticed it while working on that
> area in the code. What's the polite way of describing these things
> in public? It's a vulnerability which might allow an attacker to
> access data from inside the kernel which should have been zeroed -
> in very limited circumstances I'd prefer not to have to devise and
> announce.
>
> It would also be wrong data, so could for example crash any program
> rightly relying on uninitialized static data to be zeroed - in the
> unlikely event that its data was coming via this route (in most setups
> it never can do, perhaps I'd conclude that's true of all setups). It
> has escaped notice for nearly three years, so it's not a commonplace.
>
> Further discussion offline if you like!
Can we get or is there already a CVE number?
> Hugh
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
next prev parent reply other threads:[~2007-12-15 0:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-28 18:55 [PATCH] tmpfs: restore missing clear_highpage Hugh Dickins
2007-12-11 22:21 ` Adrian Bunk
2007-12-12 0:00 ` Chuck Ebbert
2007-12-12 5:01 ` Hugh Dickins
2007-12-15 0:13 ` Adrian Bunk [this message]
2007-12-15 5:43 ` Hugh Dickins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071215001331.GC5403@stusta.de \
--to=bunk@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=cebbert@redhat.com \
--cc=hugh@veritas.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=wtarreau@hera.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.