From: Chris Mason <mason@suse.com>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>,
Xuan Baldauf <xuan--reiserfs@baldauf.org>,
reiserfs-list@namesys.com
Cc: Nicholas Petreley <nicholas@petreley.com>,
Harald Dunkel <harri@synopsys.COM>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] reiserfs old data bug 2.2.x (was: ReiserFS? How reliable ...)
Date: Thu, 05 Apr 2001 08:52:37 -0500 [thread overview]
Message-ID: <322330000.986478757@tiny> (raw)
In-Reply-To: <E14kyLV-0003AB-00@the-village.bc.nu>
[-- Attachment #1: Type: text/plain, Size: 1262 bytes --]
On Thursday, April 05, 2001 02:13:55 AM +0100 Alan Cox
<alan@lxorguk.ukuu.org.uk> wrote:
>> This is a reiserfs security issue, but only of theoretical nature (Even
>> i= f
>> triggered, it won't harm you). But the reason for this bug is in NFS
>> (v2,=
>
> If the blocks contained my old /etc/shadow I'd be a bit upset.
>
I think we're talking about different things here. Alan, I think you are
referring to the ability to get old data in files during mmap. Where the
exploit roughly looks like this:
truncate(file, 0)
truncate(file, X)
char *foo = mmap(file, X)
write(file, foo, X)
This should produce all zeros, but under 2.2.x reiserfs can instead include
old file data. Turns out this is because during the write, the block
pointer is inserted before the newly allocated (and zero'd) buffer was set
up to date. If a readpage is triggered when reiserfs_file_write calls
copy_from_user, you get the old data. The fix is to mark the buffer up to
date right after zeroing.
Two patches attached, one for 3.5.32 (uptodate_hole.diff.gz) and one for
older reiserfs versions (uptodate_hole-old.diff.gz). Both are small,
gzip'd because my mailer is dumb.
3.5.33 should come out soon with this included. 2.4.x reiserfs doesn't
need this patch.
-chris
[-- Attachment #2: uptodate_hole-old.diff.gz --]
[-- Type: application/x-gunzip, Size: 502 bytes --]
[-- Attachment #3: uptodate_hole.diff.gz --]
[-- Type: application/x-gunzip, Size: 234 bytes --]
next prev parent reply other threads:[~2001-04-05 13:54 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-04-03 12:13 ReiserFS? How reliable is it? Is this the future? Harald Dunkel
2001-04-03 12:47 ` Frank Fiene
2001-04-03 16:19 ` Nicholas Petreley
2001-04-03 16:57 ` Alan Cox
2001-04-05 1:05 ` Xuan Baldauf
2001-04-05 1:13 ` Alan Cox
2001-04-05 1:23 ` Xuan Baldauf
2001-04-05 13:52 ` Chris Mason [this message]
2001-04-03 18:23 ` jury gerold
2001-04-03 22:15 ` Shawn Starr
2001-04-04 10:18 ` Ookhoi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=322330000.986478757@tiny \
--to=mason@suse.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=harri@synopsys.COM \
--cc=linux-kernel@vger.kernel.org \
--cc=nicholas@petreley.com \
--cc=reiserfs-list@namesys.com \
--cc=xuan--reiserfs@baldauf.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox