+4
−2
Loading
fuse: Initialize beyond-EOF page contents before setting uptodate
stable inclusion from stable-v6.6.48 commit ac42e0f0eb66af966015ee33fd355bc6f5d80cd6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOAMF CVE: CVE-2024-44947 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ac42e0f0eb66af966015ee33fd355bc6f5d80cd6 -------------------------------- commit 3c0da3d163eb32f1f91891efaade027fa9b245b9 upstream. fuse_notify_store(), unlike fuse_do_readpage(), does not enable page zeroing (because it can be used to change partial page contents). So fuse_notify_store() must be more careful to fully initialize page contents (including parts of the page that are beyond end-of-file) before marking the page uptodate. The current code can leave beyond-EOF page contents uninitialized, which makes these uninitialized page contents visible to userspace via mmap(). This is an information leak, but only affects systems which do not enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the corresponding kernel command line parameter). Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2574 Cc: stable@kernel.org Fixes: a1d75f25 ("fuse: add store request") Signed-off-by:Jann Horn <jannh@google.com> Signed-off-by: