From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 19 Aug 2024 04:42:37 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v6.1.107~143
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9a90d1eaf867481e88774d7136140de87c9fc582;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	fuse-initialize-beyond-eof-page-contents-before-setting-uptodate.patch
---

diff --git a/queue-6.1/fuse-initialize-beyond-eof-page-contents-before-setting-uptodate.patch b/queue-6.1/fuse-initialize-beyond-eof-page-contents-before-setting-uptodate.patch
new file mode 100644
index 00000000000..00ec3f31765
--- /dev/null
+++ b/queue-6.1/fuse-initialize-beyond-eof-page-contents-before-setting-uptodate.patch
@@ -0,0 +1,49 @@
+From 3c0da3d163eb32f1f91891efaade027fa9b245b9 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 6 Aug 2024 21:51:42 +0200
+Subject: fuse: Initialize beyond-EOF page contents before setting uptodate
+
+From: Jann Horn <jannh@google.com>
+
+commit 3c0da3d163eb32f1f91891efaade027fa9b245b9 upstream.
+
+fuse_notify_store(), unlike fuse_do_readpage(), does not enable page
+zeroing (because it can be used to change partial page contents).
+
+So fuse_notify_store() must be more careful to fully initialize page
+contents (including parts of the page that are beyond end-of-file)
+before marking the page uptodate.
+
+The current code can leave beyond-EOF page contents uninitialized, which
+makes these uninitialized page contents visible to userspace via mmap().
+
+This is an information leak, but only affects systems which do not
+enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the
+corresponding kernel command line parameter).
+
+Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2574
+Cc: stable@kernel.org
+Fixes: a1d75f258230 ("fuse: add store request")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/dev.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1615,9 +1615,11 @@ static int fuse_notify_store(struct fuse
+ 
+ 		this_num = min_t(unsigned, num, PAGE_SIZE - offset);
+ 		err = fuse_copy_page(cs, &page, offset, this_num, 0);
+-		if (!err && offset == 0 &&
+-		    (this_num == PAGE_SIZE || file_size == end))
++		if (!PageUptodate(page) && !err && offset == 0 &&
++		    (this_num == PAGE_SIZE || file_size == end)) {
++			zero_user_segment(page, this_num, PAGE_SIZE);
+ 			SetPageUptodate(page);
++		}
+ 		unlock_page(page);
+ 		put_page(page);
+ 
diff --git a/queue-6.1/series b/queue-6.1/series
index 1e84452ef00..b1166f0b93a 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -1 +1,2 @@
 tty-atmel_serial-use-the-correct-rts-flag.patch
+fuse-initialize-beyond-eof-page-contents-before-setting-uptodate.patch