| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <875yqt1c9g.fsf@mail.parknet.co.jp>
Date: Sun, 09 Jan 2022 18:36:43 +0900
From: OGAWA Hirofumi <hirofumi@...l.parknet.co.jp>
To: linux-block@...r.kernel.org
Cc: Jens Axboe <axboe@...nel.dk>, glider@...gle.com,
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
syzbot <syzbot+ac94ae5f68b84197f41c@...kaller.appspotmail.com>
Subject: [PATCH] block: Fix wrong offset in bio_truncate()
bio_truncate() clears the buffer outside of last block of bdev, however
current bio_truncate() is using the wrong offset of page. So it can
return the uninitialized data.
This happened when both of truncated/corrupted FS and userspace (via
bdev) are trying to read the last of bdev.
Reported-by: syzbot+ac94ae5f68b84197f41c@...kaller.appspotmail.com
Signed-off-by: OGAWA Hirofumi <hirofumi@...l.parknet.co.jp>
---
block/bio.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/block/bio.c b/block/bio.c
index a6fb6a0..25f1ed2 100644
--- a/block/bio.c 2021-11-01 09:19:05.999472589 +0900
+++ b/block/bio.c 2022-01-09 17:40:09.010438012 +0900
@@ -567,7 +567,8 @@ void bio_truncate(struct bio *bio, unsig
offset = new_size - done;
else
offset = 0;
- zero_user(bv.bv_page, offset, bv.bv_len - offset);
+ zero_user(bv.bv_page, bv.bv_offset + offset,
+ bv.bv_len - offset);
truncated = true;
}
done += bv.bv_len;
_
--
OGAWA Hirofumi <hirofumi@...l.parknet.co.jp>
Powered by blists - more mailing lists