loop: prevent information leak after failed read (rhbz 782687)

2012-01-18 10:23:39 -05:00 · 2012-01-18 10:23:39 -05:00 · 4a39227a15
parent feea98915e
commit 4a39227a15
2 changed files with 47 additions and 0 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -885,6 +885,8 @@ Patch21079: 03-dm-dont-fwd-ioctls-from-LVs-to-underlying-dev.patch
 #rhbz 782681
 Patch21085: proc-clean-up-and-fix-proc-pid-mem-handling.patch

+#rhbz 782687
+Patch21086: loop-prevent-information-leak-after-failed-read.patch

 %endif

@ -1635,6 +1637,9 @@ ApplyPatch 03-dm-dont-fwd-ioctls-from-LVs-to-underlying-dev.patch
 #rhbz 782681
 ApplyPatch proc-clean-up-and-fix-proc-pid-mem-handling.patch

+#rhbz 782687
+ApplyPatch loop-prevent-information-leak-after-failed-read.patch
+
 # END OF PATCH APPLICATIONS

 %endif
@ -2411,6 +2416,7 @@ fi
 %changelog
 * Wed Jan 18 2012 Josh Boyer <jwboyer@redhat.com>
 - CVE-2012-0056 proc: clean up and fix /proc/<pid>/mem (rhbz 782681)
+- loop: prevent information leak after failed read (rhbz 782687)

 * Tue Jan 17 2012 Josh Boyer <jwboyer@redhat.com>
 - CVE-2011-4127 possible privilege escalation via SG_IO ioctl (rhbz 769911)
--- a/loop-prevent-information-leak-after-failed-read.patch
+++ b/loop-prevent-information-leak-after-failed-read.patch
@ -0,0 +1,41 @@
+From 3bb9068278ea524581237abadd41377a14717e7d Mon Sep 17 00:00:00 2001
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+Date: Wed, 16 Nov 2011 09:21:48 +0100
+Subject: [PATCH] loop: prevent information leak after failed read
+
+If read was not fully successful we have to fail whole bio to prevent
+information leak of old pages
+
+##Testcase_begin
+dd if=/dev/zero of=./file bs=1M count=1
+losetup /dev/loop0 ./file -o 4096
+truncate -s 0 ./file
+# OOps loop offset is now beyond i_size, so read will silently fail.
+# So bio's pages would not be cleared, may which result in information leak.
+hexdump -C /dev/loop0
+##testcase_end
+
+Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+---
+ drivers/block/loop.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index 3d80682..0d56739 100644
+--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
+@@ -372,7 +372,8 @@ do_lo_receive(struct loop_device *lo,
+ 
+ 	if (retval < 0)
+ 		return retval;
+-
+	if (retval != bvec->bv_len)
+		return -EIO;
+ 	return 0;
+ }
+ 
+-- 
+1.7.7.5
+