From 46960cebc16c926ab025bbbc62a682dd826ad404 Mon Sep 17 00:00:00 2001 From: Miklos Szeredi Date: Thu, 2 Jun 2005 09:05:00 +0000 Subject: [PATCH] security fix --- ChangeLog | 8 ++++++++ Filesystems | 2 +- kernel/dev.c | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index fe88ba4..698b3c5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2005-06-02 Miklos Szeredi + + * Fix serious information leak: if the filesystem returns a short + byte count to a read request, and there are non-zero number of + pages which are not filled at all, these pages will not be zeroed. + Hence the user can read out previous memory contents. Found by + Sven Tantau. + 2005-05-27 Miklos Szeredi * Add "readdir_ino" mount option, which tries to fill in the d_ino diff --git a/Filesystems b/Filesystems index 38e30d7..4c8fb75 100644 --- a/Filesystems +++ b/Filesystems @@ -283,7 +283,7 @@ Name: SSHFS-FUSE Author: Miklos Szeredi / miklos at szeredi hu -Homepage: http://sourceforge.net/project/showfiles.php?group_id=121684&package_id=140425 +Homepage: http://fuse.sourceforge.net/sshfs.html Description: diff --git a/kernel/dev.c b/kernel/dev.c index 0bad236..81cc2be 100644 --- a/kernel/dev.c +++ b/kernel/dev.c @@ -563,7 +563,7 @@ static int fuse_copy_pages(struct fuse_copy_state *cs, unsigned nbytes, unsigned offset = req->page_offset; unsigned count = min(nbytes, (unsigned) PAGE_SIZE - offset); - for (i = 0; i < req->num_pages && nbytes; i++) { + for (i = 0; i < req->num_pages && (nbytes || zeroing); i++) { struct page *page = req->pages[i]; int err = fuse_copy_page(cs, page, offset, count, zeroing); if (err) -- 2.30.2