From: Chris Wright <chrisw@sous-sol.org>
To: linux-kernel@vger.kernel.org, stable@kernel.org, jejb@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Dmitri Monakhov <dmonakhov@openvz.org>
Subject: vfs: fix data leak in nobh_write_end()
Date: Wed, 16 Apr 2008 18:01:40 -0700 [thread overview]
Message-ID: <20080417010332.046953601@sous-sol.org> (raw)
In-Reply-To: 20080417010122.148289106@sous-sol.org
[-- Attachment #1: vfs-fix-data-leak-in-nobh_write_end.patch --]
[-- Type: text/plain, Size: 4720 bytes --]
-stable review patch. If anyone has any objections, please let us know.
---------------------
From: Dmitri Monakhov <dmonakhov@openvz.org>
upstream commit: 5b41e74ad1b0bf7bc51765ae74e5dc564afc3e48
Current nobh_write_end() implementation ignore partial writes(copied < len)
case if page was fully mapped and simply mark page as Uptodate, which is
totally wrong because area [pos+copied, pos+len) wasn't updated explicitly in
previous write_begin call. It simply contains garbage from pagecache and
result in data leakage.
#TEST_CASE_BEGIN:
~~~~~~~~~~~~~~~~
In fact issue triggered by classical testcase
open("/mnt/test", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
ftruncate(3, 409600) = 0
writev(3, [{"a", 1}, {NULL, 4095}], 2) = 1
##TESTCASE_SOURCE:
~~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/uio.h>
#include <sys/mman.h>
#include <errno.h>
int main(int argc, char **argv)
{
int fd, ret;
void* p;
struct iovec iov[2];
fd = open(argv[1], O_RDWR|O_CREAT|O_TRUNC, 0666);
ftruncate(fd, 409600);
iov[0].iov_base="a";
iov[0].iov_len=1;
iov[1].iov_base=NULL;
iov[1].iov_len=4096;
ret = writev(fd, iov, sizeof(iov)/sizeof(struct iovec));
printf("writev = %d, err = %d\n", ret, errno);
return 0;
}
##TESTCASE RESULT:
~~~~~~~~~~~~~~~~~~
[root@ts63 ~]# mount | grep mnt2
/dev/mapper/test on /mnt2 type ext2 (rw,nobh)
[root@ts63 ~]# /tmp/writev /mnt2/test
writev = 1, err = 0
[root@ts63 ~]# hexdump -C /mnt2/test
00000000 61 65 62 6f 6f 74 00 00 f0 b9 b4 59 3a 00 00 00 |aeboot.....Y:...|
00000010 20 00 00 00 00 00 00 00 21 00 00 00 00 00 00 00 | .......!.......|
00000020 df df df df df df df df df df df df df df df df |................|
00000030 3a 00 00 00 2a 00 00 00 21 00 00 00 00 00 00 00 |:...*...!.......|
00000040 60 c0 8c 00 00 00 00 00 40 4a 8d 00 00 00 00 00 |`.......@J......|
00000050 00 00 00 00 00 00 00 00 41 00 00 00 00 00 00 00 |........A.......|
00000060 74 69 6d 65 20 64 64 20 69 66 3d 2f 64 65 76 2f |time dd if=/dev/|
00000070 6c 6f 6f 70 30 20 20 6f 66 3d 2f 64 65 76 2f 6e |loop0 of=/dev/n|
skip..
00000f50 00 00 00 00 00 00 00 00 31 00 00 00 00 00 00 00 |........1.......|
00000f60 6d 6b 66 73 2e 65 78 74 33 20 2f 64 65 76 2f 76 |mkfs.ext3 /dev/v|
00000f70 7a 76 67 2f 74 65 73 74 20 2d 62 34 30 39 36 00 |zvg/test -b4096.|
00000f80 a0 fe 8c 00 00 00 00 00 21 00 00 00 00 00 00 00 |........!.......|
00000f90 23 31 32 30 35 39 35 30 34 30 34 00 3a 00 00 00 |#1205950404.:...|
00000fa0 20 00 8d 00 00 00 00 00 21 00 00 00 00 00 00 00 | .......!.......|
00000fb0 d0 cf 8c 00 00 00 00 00 10 d0 8c 00 00 00 00 00 |................|
00000fc0 00 00 00 00 00 00 00 00 41 00 00 00 00 00 00 00 |........A.......|
00000fd0 6d 6f 75 6e 74 20 2f 64 65 76 2f 76 7a 76 67 2f |mount /dev/vzvg/|
00000fe0 74 65 73 74 20 20 2f 76 7a 20 2d 6f 20 64 61 74 |test /vz -o dat|
00000ff0 61 3d 77 72 69 74 65 62 61 63 6b 00 00 00 00 00 |a=writeback.....|
00001000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
As you can see file's page contains garbage from pagecache instead of zeros.
#TEST_CASE_END
Attached patch:
- Add sanity check BUG_ON in order to prevent incorrect usage by caller,
This is function invariant because page can has buffers and in no zero
*fadata pointer at the same time.
- Always attach buffers to page is it is partial write case.
- Always switch back to generic_write_end if page has buffers.
This is reasonable because if page already has buffer then generic_write_begin
was called previously.
Signed-off-by: Dmitri Monakhov <dmonakhov@openvz.org>
Reviewed-by: Nick Piggin <npiggin@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
fs/buffer.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -2565,14 +2565,13 @@ int nobh_write_end(struct file *file, st
struct inode *inode = page->mapping->host;
struct buffer_head *head = fsdata;
struct buffer_head *bh;
+ BUG_ON(fsdata != NULL && page_has_buffers(page));
- if (!PageMappedToDisk(page)) {
- if (unlikely(copied < len) && !page_has_buffers(page))
- attach_nobh_buffers(page, head);
- if (page_has_buffers(page))
- return generic_write_end(file, mapping, pos, len,
- copied, page, fsdata);
- }
+ if (unlikely(copied < len) && !page_has_buffers(page))
+ attach_nobh_buffers(page, head);
+ if (page_has_buffers(page))
+ return generic_write_end(file, mapping, pos, len,
+ copied, page, fsdata);
SetPageUptodate(page);
set_page_dirty(page);
--
next prev parent reply other threads:[~2008-04-17 1:11 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-17 1:01 [patch 00/66] 2.6.24-stable review Chris Wright
2008-04-17 1:01 ` time: prevent the loop in timespec_add_ns() from being optimised away Chris Wright
2008-04-17 1:01 ` kbuild: soften modpost checks when doing cross builds Chris Wright
2008-04-17 1:01 ` mtd: memory corruption in block2mtd.c Chris Wright
2008-04-17 1:01 ` md: remove the super sysfs attribute from devices in an md array Chris Wright
2008-04-17 1:01 ` V4L: ivtv: Add missing sg_init_table() Chris Wright
2008-04-17 1:01 ` UIO: add pgprot_noncached() to UIO mmap code Chris Wright
2008-04-17 1:01 ` USB: add support for Motorola ROKR Z6 cellphone in mass storage mode Chris Wright
2008-04-17 1:01 ` USB: new quirk flag to avoid Set-Interface Chris Wright
2008-04-17 1:01 ` inotify: fix race Chris Wright
2008-04-17 1:01 ` inotify: remove debug code Chris Wright
2008-04-17 1:01 ` NOHZ: reevaluate idle sleep length after add_timer_on() Chris Wright
2008-04-17 1:01 ` slab: fix cache_cache bootstrap in kmem_cache_init() Chris Wright
2008-04-17 1:01 ` xen: fix RMW when unmasking events Chris Wright
2008-04-17 1:01 ` xen: mask out SEP from CPUID Chris Wright
2008-04-17 1:01 ` xen: fix UP setup of shared_info Chris Wright
2008-04-17 1:01 ` PERCPU : __percpu_alloc_mask() can dynamically size percpu_data storage Chris Wright
2008-04-17 1:01 ` alloc_percpu() fails to allocate percpu data Chris Wright
2008-04-17 1:01 ` Chris Wright [this message]
2008-04-17 1:01 ` pci: revert SMBus unhide on HP Compaq nx6110 Chris Wright
2008-04-17 1:01 ` hwmon: (w83781d) Fix I/O resource conflict with PNP Chris Wright
2008-04-17 1:01 ` vmcoreinfo: add the symbol "phys_base" Chris Wright
2008-04-17 9:24 ` Eric W. Biederman
2008-04-17 17:16 ` Chris Wright
2008-04-17 17:29 ` Vivek Goyal
2008-04-18 10:17 ` Ken'ichi Ohmichi
2008-04-17 23:31 ` Eric W. Biederman
2008-04-17 1:01 ` USB: Allow initialization of broken keyspan serial adapters Chris Wright
2008-04-17 1:01 ` USB: serial: fix regression in Visor/Palm OS module for kernels >= 2.6.24 Chris Wright
2008-04-17 1:01 ` USB: serial: ti_usb_3410_5052: Correct TUSB3410 endpoint requirements Chris Wright
2008-04-17 8:01 ` Oliver Neukum
2008-04-17 17:02 ` Greg KH
2008-04-17 1:01 ` CRYPTO xcbc: Fix crash when ipsec uses xcbc-mac with big data chunk Chris Wright
2008-04-17 11:26 ` S.Çağlar Onur
2008-04-17 14:22 ` Herbert Xu
2008-04-17 23:33 ` Chris Wright
2008-04-17 1:01 ` mtd: fix broken state in CFI driver caused by FL_SHUTDOWN Chris Wright
2008-04-17 1:01 ` ipmi: change device node ordering to reflect probe order Chris Wright
2008-04-17 1:01 ` AX25 ax25_out: check skb for NULL in ax25_kick() Chris Wright
2008-04-17 1:01 ` NET: include <linux/types.h> into linux/ethtool.h for __u* typedef Chris Wright
2008-04-17 1:01 ` SUNGEM: Fix NAPI assertion failure Chris Wright
2008-04-17 1:01 ` INET: inet_frag_evictor() must run with BH disabled Chris Wright
2008-04-17 1:01 ` LLC: Restrict LLC sockets to root Chris Wright
2008-04-17 1:01 ` netpoll: zap_completion_queue: adjust skb->users counter Chris Wright
2008-04-17 1:01 ` PPPOL2TP: Make locking calls softirq-safe Chris Wright
2008-04-17 1:01 ` PPPOL2TP: Fix SMP issues in skb reorder queue handling Chris Wright
2008-04-17 1:01 ` NET: Add preemption point in qdisc_run Chris Wright
2008-04-17 1:01 ` sch_htb: fix "too many events" situation Chris Wright
2008-04-17 1:02 ` SCTP: Fix local_addr deletions during list traversals Chris Wright
2008-04-17 1:02 ` NET: Fix multicast device ioctl checks Chris Wright
2008-04-17 1:02 ` TCP: Fix shrinking windows with window scaling Chris Wright
2008-04-17 1:02 ` TCP: Let skbs grow over a page on fast peers Chris Wright
2008-04-17 1:02 ` VLAN: Dont copy ALLMULTI/PROMISC flags from underlying device Chris Wright
2008-04-17 1:02 ` SPARC64: Fix atomic backoff limit Chris Wright
2008-04-17 1:02 ` SPARC64: Fix __get_cpu_var in preemption-enabled area Chris Wright
2008-04-17 1:02 ` SPARC64: flush_ptrace_access() needs preemption disable Chris Wright
2008-04-17 1:02 ` libata: assume no device is attached if both IDENTIFYs are aborted Chris Wright
2008-04-17 1:02 ` sis190: read the mac address from the eeprom first Chris Wright
2008-04-17 1:02 ` bluetooth: hci_core: defer hci_unregister_sysfs() Chris Wright
2008-04-17 1:02 ` SPARC64: Fix FPU saving in 64-bit signal handling Chris Wright
2008-04-17 1:02 ` DVB: tda10086: make the 22kHz tone for DISEQC a config option Chris Wright
2008-04-17 1:02 ` SUNRPC: Fix a memory leak in rpc_create() Chris Wright
2008-04-17 21:25 ` Stefan Lippers-Hollmann
2008-04-17 22:06 ` Trond Myklebust
2008-04-17 22:09 ` Chris Wright
2008-04-18 14:42 ` Chuck Lever
2008-04-17 1:02 ` HFS+: fix unlink of links Chris Wright
2008-04-17 1:02 ` acpi: fix "buggy BIOS check" when CPUs are hot removed Chris Wright
2008-04-17 1:02 ` plip: replace spin_lock_irq with spin_lock_irqsave in irq context Chris Wright
2008-04-17 1:02 ` signalfd: fix for incorrect SI_QUEUE user data reporting Chris Wright
2008-04-17 1:02 ` md: close a livelock window in handle_parity_checks5 Chris Wright
2008-04-17 1:02 ` POWERPC: Fix build of modular drivers/macintosh/apm_emu.c Chris Wright
2008-04-17 1:02 ` pnpacpi: reduce printk severity for "pnpacpi: exceeded the max number of ..." Chris Wright
2008-04-17 15:24 ` Nick Andrew
2008-04-17 17:09 ` Chris Wright
2008-04-18 21:48 ` Bjorn Helgaas
2008-04-23 4:09 ` [stable PATCH for 2.6.24.5 and 2.6.25] pnpacpi: fix potential corruption on "pnpacpi: exceeded the max number of IRQ resources 2" Len Brown
2008-04-17 1:02 ` PARISC futex: special case cmpxchg NULL in kernel space Chris Wright
2008-04-17 1:02 ` Chris Wright
2008-04-17 1:02 ` PARISC pdc_console: fix bizarre panic on boot Chris Wright
2008-04-17 1:02 ` Chris Wright
2008-04-17 1:02 ` PARISC fix signal trampoline cache flushing Chris Wright
2008-04-17 1:02 ` acpi: bus: check once more for an empty list after locking it Chris Wright
2008-04-17 1:02 ` fbdev: fix /proc/fb oops after module removal Chris Wright
2008-04-17 1:02 ` macb: Call phy_disconnect on removing Chris Wright
2008-04-17 1:02 ` file capabilities: remove cap_task_kill() Chris Wright
2008-04-17 1:02 ` locks: fix possible infinite loop in fcntl(F_SETLKW) over nfs Chris Wright
2008-04-18 7:50 ` [stable] [patch 00/66] 2.6.24-stable review Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080417010332.046953601@sous-sol.org \
--to=chrisw@sous-sol.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=dmonakhov@openvz.org \
--cc=jejb@kernel.org \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.