From: Eric Biggers <ebiggers@kernel.org> To: linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim <jaegeuk@kernel.org>, Chao Yu <chao@kernel.org> Cc: Alexander Potapenko <glider@google.com>, stable@vger.kernel.org Subject: [PATCH] f2fs: fix information leak in f2fs_move_inline_dirents() Date: Sun, 22 Jan 2023 23:04:14 -0800 [thread overview] Message-ID: <20230123070414.138052-1-ebiggers@kernel.org> (raw) From: Eric Biggers <ebiggers@google.com> When converting an inline directory to a regular one, f2fs is leaking uninitialized memory to disk because it doesn't initialize the entire directory block. Fix this by zero-initializing the block. This bug was introduced by commit 4ec17d688d74 ("f2fs: avoid unneeded initializing when converting inline dentry"), which didn't consider the security implications of leaking uninitialized memory to disk. This was found by running xfstest generic/435 on a KMSAN-enabled kernel. Fixes: 4ec17d688d74 ("f2fs: avoid unneeded initializing when converting inline dentry") Cc: <stable@vger.kernel.org> # v4.3+ Signed-off-by: Eric Biggers <ebiggers@google.com> --- fs/f2fs/inline.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c index 08e302d32118d..72269e7efd260 100644 --- a/fs/f2fs/inline.c +++ b/fs/f2fs/inline.c @@ -421,18 +421,17 @@ static int f2fs_move_inline_dirents(struct inode *dir, struct page *ipage, dentry_blk = page_address(page); + /* + * Start by zeroing the full block, to ensure that all unused space is + * zeroed and no uninitialized memory is leaked to disk. + */ + memset(dentry_blk, 0, F2FS_BLKSIZE); + make_dentry_ptr_inline(dir, &src, inline_dentry); make_dentry_ptr_block(dir, &dst, dentry_blk); /* copy data from inline dentry block to new dentry block */ memcpy(dst.bitmap, src.bitmap, src.nr_bitmap); - memset(dst.bitmap + src.nr_bitmap, 0, dst.nr_bitmap - src.nr_bitmap); - /* - * we do not need to zero out remainder part of dentry and filename - * field, since we have used bitmap for marking the usage status of - * them, besides, we can also ignore copying/zeroing reserved space - * of dentry block, because them haven't been used so far. - */ memcpy(dst.dentry, src.dentry, SIZE_OF_DIR_ENTRY * src.max); memcpy(dst.filename, src.filename, src.max * F2FS_SLOT_LEN); base-commit: 7a2b15cfa8dbbd54beb4e2ce7b2f42eb0ad00425 -- 2.39.1
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org> To: linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim <jaegeuk@kernel.org>, Chao Yu <chao@kernel.org> Cc: Alexander Potapenko <glider@google.com>, stable@vger.kernel.org Subject: [f2fs-dev] [PATCH] f2fs: fix information leak in f2fs_move_inline_dirents() Date: Sun, 22 Jan 2023 23:04:14 -0800 [thread overview] Message-ID: <20230123070414.138052-1-ebiggers@kernel.org> (raw) From: Eric Biggers <ebiggers@google.com> When converting an inline directory to a regular one, f2fs is leaking uninitialized memory to disk because it doesn't initialize the entire directory block. Fix this by zero-initializing the block. This bug was introduced by commit 4ec17d688d74 ("f2fs: avoid unneeded initializing when converting inline dentry"), which didn't consider the security implications of leaking uninitialized memory to disk. This was found by running xfstest generic/435 on a KMSAN-enabled kernel. Fixes: 4ec17d688d74 ("f2fs: avoid unneeded initializing when converting inline dentry") Cc: <stable@vger.kernel.org> # v4.3+ Signed-off-by: Eric Biggers <ebiggers@google.com> --- fs/f2fs/inline.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c index 08e302d32118d..72269e7efd260 100644 --- a/fs/f2fs/inline.c +++ b/fs/f2fs/inline.c @@ -421,18 +421,17 @@ static int f2fs_move_inline_dirents(struct inode *dir, struct page *ipage, dentry_blk = page_address(page); + /* + * Start by zeroing the full block, to ensure that all unused space is + * zeroed and no uninitialized memory is leaked to disk. + */ + memset(dentry_blk, 0, F2FS_BLKSIZE); + make_dentry_ptr_inline(dir, &src, inline_dentry); make_dentry_ptr_block(dir, &dst, dentry_blk); /* copy data from inline dentry block to new dentry block */ memcpy(dst.bitmap, src.bitmap, src.nr_bitmap); - memset(dst.bitmap + src.nr_bitmap, 0, dst.nr_bitmap - src.nr_bitmap); - /* - * we do not need to zero out remainder part of dentry and filename - * field, since we have used bitmap for marking the usage status of - * them, besides, we can also ignore copying/zeroing reserved space - * of dentry block, because them haven't been used so far. - */ memcpy(dst.dentry, src.dentry, SIZE_OF_DIR_ENTRY * src.max); memcpy(dst.filename, src.filename, src.max * F2FS_SLOT_LEN); base-commit: 7a2b15cfa8dbbd54beb4e2ce7b2f42eb0ad00425 -- 2.39.1 _______________________________________________ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
next reply other threads:[~2023-01-23 7:05 UTC|newest] Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-01-23 7:04 Eric Biggers [this message] 2023-01-23 7:04 ` [f2fs-dev] [PATCH] f2fs: fix information leak in f2fs_move_inline_dirents() Eric Biggers 2023-01-23 8:58 ` Alexander Potapenko 2023-01-23 8:58 ` [f2fs-dev] " Alexander Potapenko via Linux-f2fs-devel 2023-01-23 18:19 ` Eric Biggers 2023-01-23 18:19 ` Eric Biggers 2023-01-25 10:10 ` Alexander Potapenko 2023-01-25 10:10 ` [f2fs-dev] " Alexander Potapenko via Linux-f2fs-devel 2023-01-29 9:57 ` Chao Yu 2023-01-29 9:57 ` [f2fs-dev] " Chao Yu 2023-01-30 23:00 ` patchwork-bot+f2fs 2023-01-30 23:00 ` patchwork-bot+f2fs
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20230123070414.138052-1-ebiggers@kernel.org \ --to=ebiggers@kernel.org \ --cc=chao@kernel.org \ --cc=glider@google.com \ --cc=jaegeuk@kernel.org \ --cc=linux-f2fs-devel@lists.sourceforge.net \ --cc=stable@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.