[kernel/f15] loop: prevent information leak after failed read (rhbz 782687)
Josh Boyer
jwboyer at fedoraproject.org
Wed Jan 18 15:30:38 UTC 2012
commit cd4ffd10e875541da001be96059e2fff331a6235
Author: Josh Boyer <jwboyer at redhat.com>
Date: Wed Jan 18 10:23:39 2012 -0500
loop: prevent information leak after failed read (rhbz 782687)
kernel.spec | 6 +++
...revent-information-leak-after-failed-read.patch | 41 ++++++++++++++++++++
2 files changed, 47 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 3be1c08..b5d2f86 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -754,6 +754,8 @@ Patch21079: 03-dm-dont-fwd-ioctls-from-LVs-to-underlying-dev.patch
#rhbz 782681
Patch21085: proc-clean-up-and-fix-proc-pid-mem-handling.patch
+#rhbz 782687
+Patch21086: loop-prevent-information-leak-after-failed-read.patch
%endif
@@ -1400,6 +1402,9 @@ ApplyPatch 03-dm-dont-fwd-ioctls-from-LVs-to-underlying-dev.patch
#rhbz 782681
ApplyPatch proc-clean-up-and-fix-proc-pid-mem-handling.patch
+#rhbz 782687
+ApplyPatch loop-prevent-information-leak-after-failed-read.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2052,6 +2057,7 @@ fi
* Wed Jan 18 2012 Josh Boyer <jwboyer at redhat.com>
- CVE-2012-0056 proc: clean up and fix /proc/<pid>/mem (rhbz 782681)
+- loop: prevent information leak after failed read (rhbz 782687)
* Tue Jan 17 2012 Josh Boyer <jwboyer at redhat.com>
- CVE-2011-4127 possible privilege escalation via SG_IO ioctl (rhbz 769911)
diff --git a/loop-prevent-information-leak-after-failed-read.patch b/loop-prevent-information-leak-after-failed-read.patch
new file mode 100644
index 0000000..040a234
--- /dev/null
+++ b/loop-prevent-information-leak-after-failed-read.patch
@@ -0,0 +1,41 @@
+From 3bb9068278ea524581237abadd41377a14717e7d Mon Sep 17 00:00:00 2001
+From: Dmitry Monakhov <dmonakhov at openvz.org>
+Date: Wed, 16 Nov 2011 09:21:48 +0100
+Subject: [PATCH] loop: prevent information leak after failed read
+
+If read was not fully successful we have to fail whole bio to prevent
+information leak of old pages
+
+##Testcase_begin
+dd if=/dev/zero of=./file bs=1M count=1
+losetup /dev/loop0 ./file -o 4096
+truncate -s 0 ./file
+# OOps loop offset is now beyond i_size, so read will silently fail.
+# So bio's pages would not be cleared, may which result in information leak.
+hexdump -C /dev/loop0
+##testcase_end
+
+Signed-off-by: Dmitry Monakhov <dmonakhov at openvz.org>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Jens Axboe <axboe at kernel.dk>
+---
+ drivers/block/loop.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index 3d80682..0d56739 100644
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -372,7 +372,8 @@ do_lo_receive(struct loop_device *lo,
+
+ if (retval < 0)
+ return retval;
+-
++ if (retval != bvec->bv_len)
++ return -EIO;
+ return 0;
+ }
+
+--
+1.7.7.5
+
More information about the scm-commits
mailing list