[Hardy, Maverick] [CVE-2011-0463] [PATCH 1/1] Treat writes as new when holes span across page boundaries, CVE-2011-0463
Tim Gardner
tim.gardner at canonical.com
Tue Apr 26 16:08:53 UTC 2011
On 04/26/2011 10:00 AM, Brad Figg wrote:
> From: Goldwyn Rodrigues<rgoldwyn at gmail.com>
>
> BugLink: http://bugs.launchpad.net/bugs/770483
>
> CVE-2011-0463
>
> When a hole spans across page boundaries, the next write forces
> a read of the block. This could end up reading existing garbage
> data from the disk in ocfs2_map_page_blocks. This leads to
> non-zero holes. In order to avoid this, mark the writes as new
> when the holes span across page boundaries.
>
> Signed-off-by: Goldwyn Rodrigues<rgoldwyn at suse.de>
> Signed-off-by: jlbec<jlbec at evilplan.org>
>
> (cherry-pick of commit 272b62c1f0f6f742046e45b50b6fec98860208a0)
> Signed-off-by: Brad Figg<brad.figg at canonical.com>
> ---
> fs/ocfs2/aops.c | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c
> index 0d44b77..b5d7fb9 100644
> --- a/fs/ocfs2/aops.c
> +++ b/fs/ocfs2/aops.c
> @@ -1015,6 +1015,12 @@ static int ocfs2_prepare_page_for_write(struct inode *inode, u64 *p_blkno,
> ocfs2_figure_cluster_boundaries(OCFS2_SB(inode->i_sb), cpos,
> &cluster_start,&cluster_end);
>
> + /* treat the write as new if the a hole/lseek spanned across
> + * the page boundary.
> + */
> + new = new | ((i_size_read(inode)<= page_offset(page))&&
> + (page_offset(page)<= user_pos));
> +
> if (page == wc->w_target_page) {
> map_from = user_pos& (PAGE_CACHE_SIZE - 1);
> map_to = map_from + user_len;
Acked-by: Tim Gardner <tim.gardner at canonical.com>
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list