This is a note to let you know that I've just added the patch titled
f2fs: fix information leak in f2fs_move_inline_dirents()
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
f2fs-fix-information-leak-in-f2fs_move_inline_dirents.patch
and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 9a5571cff4ffcfc24847df9fd545cc5799ac0ee5 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@xxxxxxxxxx>
Date: Sun, 22 Jan 2023 23:04:14 -0800
Subject: f2fs: fix information leak in f2fs_move_inline_dirents()
From: Eric Biggers <ebiggers@xxxxxxxxxx>
commit 9a5571cff4ffcfc24847df9fd545cc5799ac0ee5 upstream.
When converting an inline directory to a regular one, f2fs is leaking
uninitialized memory to disk because it doesn't initialize the entire
directory block. Fix this by zero-initializing the block.
This bug was introduced by commit 4ec17d688d74 ("f2fs: avoid unneeded
initializing when converting inline dentry"), which didn't consider the
security implications of leaking uninitialized memory to disk.
This was found by running xfstest generic/435 on a KMSAN-enabled kernel.
Fixes: 4ec17d688d74 ("f2fs: avoid unneeded initializing when converting inline dentry")
Cc: <stable@xxxxxxxxxxxxxxx> # v4.3+
Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
Reviewed-by: Chao Yu <chao@xxxxxxxxxx>
Signed-off-by: Jaegeuk Kim <jaegeuk@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/f2fs/inline.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
--- a/fs/f2fs/inline.c
+++ b/fs/f2fs/inline.c
@@ -420,18 +420,17 @@ static int f2fs_move_inline_dirents(stru
dentry_blk = page_address(page);
+ /*
+ * Start by zeroing the full block, to ensure that all unused space is
+ * zeroed and no uninitialized memory is leaked to disk.
+ */
+ memset(dentry_blk, 0, F2FS_BLKSIZE);
+
make_dentry_ptr_inline(dir, &src, inline_dentry);
make_dentry_ptr_block(dir, &dst, dentry_blk);
/* copy data from inline dentry block to new dentry block */
memcpy(dst.bitmap, src.bitmap, src.nr_bitmap);
- memset(dst.bitmap + src.nr_bitmap, 0, dst.nr_bitmap - src.nr_bitmap);
- /*
- * we do not need to zero out remainder part of dentry and filename
- * field, since we have used bitmap for marking the usage status of
- * them, besides, we can also ignore copying/zeroing reserved space
- * of dentry block, because them haven't been used so far.
- */
memcpy(dst.dentry, src.dentry, SIZE_OF_DIR_ENTRY * src.max);
memcpy(dst.filename, src.filename, src.max * F2FS_SLOT_LEN);
Patches currently in stable-queue which might be from ebiggers@xxxxxxxxxx are
queue-5.10/crypto-x86-ghash-fix-unaligned-access-in-ghash_setke.patch
queue-5.10/f2fs-fix-cgroup-writeback-accounting-with-fs-layer-encryption.patch
queue-5.10/f2fs-fix-information-leak-in-f2fs_move_inline_dirents.patch
queue-5.10/lib-mpi-fix-buffer-overrun-when-sg-is-too-long.patch
