tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'dm-3.12-fix-cve' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm

Pull device-mapper fix from Alasdair Kergon:
"A patch to avoid data corruption in a device-mapper snapshot.

This is primarily a data corruption bug that all users of
device-mapper snapshots will want to fix. The CVE is due to a data
leak under specific circumstances if, for example, the snapshot is
presented to a virtual machine: a block written as data inside the VM
can get interpreted incorrectly on the host outside the VM as
metadata, causing the host to provide the VM with access to blocks it
would not otherwise see. This is likely to affect few, if any,
people"

* tag 'dm-3.12-fix-cve' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
dm snapshot: fix data corruption

Linus Torvalds 8359ffa5 386aa051

+12 -6
+12 -6
drivers/md/dm-snap-persistent.c
··· 269 269 return NUM_SNAPSHOT_HDR_CHUNKS + ((ps->exceptions_per_area + 1) * area); 270 270 } 271 271 272 + static void skip_metadata(struct pstore *ps) 273 + { 274 + uint32_t stride = ps->exceptions_per_area + 1; 275 + chunk_t next_free = ps->next_free; 276 + if (sector_div(next_free, stride) == NUM_SNAPSHOT_HDR_CHUNKS) 277 + ps->next_free++; 278 + } 279 + 272 280 /* 273 281 * Read or write a metadata area. Remembering to skip the first 274 282 * chunk which holds the header. ··· 510 502 511 503 ps->current_area--; 512 504 505 + skip_metadata(ps); 506 + 513 507 return 0; 514 508 } 515 509 ··· 626 616 struct dm_exception *e) 627 617 { 628 618 struct pstore *ps = get_info(store); 629 - uint32_t stride; 630 - chunk_t next_free; 631 619 sector_t size = get_dev_size(dm_snap_cow(store->snap)->bdev); 632 620 633 621 /* Is there enough room ? */ ··· 638 630 * Move onto the next free pending, making sure to take 639 631 * into account the location of the metadata chunks. 640 632 */ 641 - stride = (ps->exceptions_per_area + 1); 642 - next_free = ++ps->next_free; 643 - if (sector_div(next_free, stride) == 1) 644 - ps->next_free++; 633 + ps->next_free++; 634 + skip_metadata(ps); 645 635 646 636 atomic_inc(&ps->pending_count); 647 637 return 0;