CAN-2003-0018 vs 2.6?

CAN-2003-0018 vs 2.6?

[Christoph Hellwig]

CAN-2003-0018 (Linux O_DIRECT Direct Input/Output Information Leak
Vulnerability) is still not fixed in mainline 2.6.

Last time I pinged you you said you didn't like the fixes but we're
getting to the point where 2.6 gets seriously used and we should start
to care.  In fact SuSE has been adding the patches to their tree now
which means an direct I/O API change which is kinda messy to maintain
for XFS (which isn't even affected by the vulnerability due to it's own
locking) that's supposed to supply vendors with uptodas.

So any plans to gets this in?

Re: CAN-2003-0018 vs 2.6?

[Andrew Morton]

Christoph Hellwig <hch@lst.de> wrote:
>
> CAN-2003-0018 (Linux O_DIRECT Direct Input/Output Information Leak
> Vulnerability) is still not fixed in mainline 2.6.
> 
> Last time I pinged you you said you didn't like the fixes but we're
> getting to the point where 2.6 gets seriously used and we should start
> to care.  In fact SuSE has been adding the patches to their tree now
> which means an direct I/O API change which is kinda messy to maintain
> for XFS (which isn't even affected by the vulnerability due to it's own
> locking) that's supposed to supply vendors with uptodas.
> 
> So any plans to gets this in?

The fixes for this have been ready to go for a week or so.  It's 2.6.6-pre
material.