From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mikulas Patocka <mpatocka@redhat.com>,
Mike Snitzer <snitzer@redhat.com>,
Alasdair G Kergon <agk@redhat.com>
Subject: [ 27/32] dm snapshot: fix data corruption
Date: Fri, 1 Nov 2013 14:43:38 -0700 [thread overview]
Message-ID: <20131101214320.218729760@linuxfoundation.org> (raw)
In-Reply-To: <20131101214313.735463599@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit e9c6a182649f4259db704ae15a91ac820e63b0ca upstream.
This patch fixes a particular type of data corruption that has been
encountered when loading a snapshot's metadata from disk.
When we allocate a new chunk in persistent_prepare, we increment
ps->next_free and we make sure that it doesn't point to a metadata area
by further incrementing it if necessary.
When we load metadata from disk on device activation, ps->next_free is
positioned after the last used data chunk. However, if this last used
data chunk is followed by a metadata area, ps->next_free is positioned
erroneously to the metadata area. A newly-allocated chunk is placed at
the same location as the metadata area, resulting in data or metadata
corruption.
This patch changes the code so that ps->next_free skips the metadata
area when metadata are loaded in function read_exceptions.
The patch also moves a piece of code from persistent_prepare_exception
to a separate function skip_metadata to avoid code duplication.
CVE-2013-4299
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-snap-persistent.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
--- a/drivers/md/dm-snap-persistent.c
+++ b/drivers/md/dm-snap-persistent.c
@@ -269,6 +269,14 @@ static chunk_t area_location(struct psto
return NUM_SNAPSHOT_HDR_CHUNKS + ((ps->exceptions_per_area + 1) * area);
}
+static void skip_metadata(struct pstore *ps)
+{
+ uint32_t stride = ps->exceptions_per_area + 1;
+ chunk_t next_free = ps->next_free;
+ if (sector_div(next_free, stride) == NUM_SNAPSHOT_HDR_CHUNKS)
+ ps->next_free++;
+}
+
/*
* Read or write a metadata area. Remembering to skip the first
* chunk which holds the header.
@@ -502,6 +510,8 @@ static int read_exceptions(struct pstore
ps->current_area--;
+ skip_metadata(ps);
+
return 0;
}
@@ -616,8 +626,6 @@ static int persistent_prepare_exception(
struct dm_exception *e)
{
struct pstore *ps = get_info(store);
- uint32_t stride;
- chunk_t next_free;
sector_t size = get_dev_size(dm_snap_cow(store->snap)->bdev);
/* Is there enough room ? */
@@ -630,10 +638,8 @@ static int persistent_prepare_exception(
* Move onto the next free pending, making sure to take
* into account the location of the metadata chunks.
*/
- stride = (ps->exceptions_per_area + 1);
- next_free = ++ps->next_free;
- if (sector_div(next_free, stride) == 1)
- ps->next_free++;
+ ps->next_free++;
+ skip_metadata(ps);
atomic_inc(&ps->pending_count);
return 0;
next prev parent reply other threads:[~2013-11-01 21:46 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-01 21:43 [ 00/32] 3.4.68-stable review Greg Kroah-Hartman
2013-11-01 21:43 ` [ 01/32] tcp: must unclone packets before mangling them Greg Kroah-Hartman
2013-11-01 21:43 ` [ 02/32] tcp: do not forget FIN in tcp_shifted_skb() Greg Kroah-Hartman
2013-11-01 21:43 ` [ 03/32] net: do not call sock_put() on TIMEWAIT sockets Greg Kroah-Hartman
2013-11-01 21:43 ` [ 04/32] net: mv643xx_eth: update statistics timer from timer context only Greg Kroah-Hartman
2013-11-01 21:43 ` [ 05/32] net: mv643xx_eth: fix orphaned statistics timer crash Greg Kroah-Hartman
2013-11-01 21:43 ` [ 06/32] net: heap overflow in __audit_sockaddr() Greg Kroah-Hartman
2013-11-01 21:43 ` [ 07/32] proc connector: fix info leaks Greg Kroah-Hartman
2013-11-01 21:43 ` [ 08/32] ipv4: fix ineffective source address selection Greg Kroah-Hartman
2013-11-01 21:43 ` [ 09/32] can: dev: fix nlmsg size calculation in can_get_size() Greg Kroah-Hartman
2013-11-01 21:43 ` [ 10/32] ipv6: restrict neighbor entry creation to output flow Greg Kroah-Hartman
2013-11-01 21:43 ` [ 11/32] bridge: Correctly clamp MAX forward_delay when enabling STP Greg Kroah-Hartman
2013-11-01 21:43 ` Greg Kroah-Hartman
2013-11-01 21:43 ` [ 12/32] net: vlan: fix nlmsg size calculation in vlan_get_size() Greg Kroah-Hartman
2013-11-01 21:43 ` [ 13/32] l2tp: must disable bh before calling l2tp_xmit_skb() Greg Kroah-Hartman
2013-11-01 21:43 ` [ 14/32] farsync: fix info leak in ioctl Greg Kroah-Hartman
2013-11-01 21:43 ` [ 15/32] unix_diag: fix info leak Greg Kroah-Hartman
2013-11-01 21:43 ` [ 16/32] connector: use nlmsg_len() to check message length Greg Kroah-Hartman
2013-11-01 21:43 ` [ 17/32] bnx2x: record rx queue for LRO packets Greg Kroah-Hartman
2013-11-01 21:43 ` [ 18/32] net: dst: provide accessor function to dst->xfrm Greg Kroah-Hartman
2013-11-01 21:43 ` [ 19/32] sctp: Use software crc32 checksum when xfrm transform will happen Greg Kroah-Hartman
2013-11-01 21:43 ` [ 20/32] sctp: Perform software checksum if packet has to be fragmented Greg Kroah-Hartman
2013-11-01 21:43 ` [ 21/32] wanxl: fix info leak in ioctl Greg Kroah-Hartman
2013-11-01 21:43 ` [ 22/32] net: unix: inherit SOCK_PASS{CRED, SEC} flags from socket to fix race Greg Kroah-Hartman
2013-11-01 21:43 ` [ 23/32] net: fix cipso packet validation when !NETLABEL Greg Kroah-Hartman
2013-11-01 21:43 ` [ 24/32] inet: fix possible memory corruption with UDP_CORK and UFO Greg Kroah-Hartman
2013-11-01 21:43 ` [ 25/32] davinci_emac.c: Fix IFF_ALLMULTI setup Greg Kroah-Hartman
2013-11-01 21:43 ` [ 26/32] ext3: return 32/64-bit dir name hash according to usage type Greg Kroah-Hartman
2013-11-01 21:43 ` Greg Kroah-Hartman [this message]
2013-11-01 21:43 ` [ 28/32] writeback: fix negative bdi max pause Greg Kroah-Hartman
2013-11-01 21:43 ` [ 29/32] wireless: radiotap: fix parsing buffer overrun Greg Kroah-Hartman
2013-11-01 21:43 ` [ 30/32] USB: serial: ti_usb_3410_5052: add Abbott strip port ID to combined table as well Greg Kroah-Hartman
2013-11-01 21:43 ` [ 31/32] USB: serial: option: add support for Inovia SEW858 device Greg Kroah-Hartman
2013-11-01 21:43 ` [ 32/32] usb: serial: option: blacklist Olivetti Olicard200 Greg Kroah-Hartman
2013-11-02 2:28 ` [ 00/32] 3.4.68-stable review Guenter Roeck
2013-11-02 21:33 ` Shuah Khan
2013-11-04 3:07 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131101214320.218729760@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=agk@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mpatocka@redhat.com \
--cc=snitzer@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.