• Mikulas Patocka's avatar
    dm snapshot: fix data corruption · 1b3b362f
    Mikulas Patocka authored
    CVE-2013-4299
    
    BugLink: http://bugs.launchpad.net/bugs/1241769
    
    This patch fixes a particular type of data corruption that has been
    encountered when loading a snapshot's metadata from disk.
    
    When we allocate a new chunk in persistent_prepare, we increment
    ps->next_free and we make sure that it doesn't point to a metadata area
    by further incrementing it if necessary.
    
    When we load metadata from disk on device activation, ps->next_free is
    positioned after the last used data chunk. However, if this last used
    data chunk is followed by a metadata area, ps->next_free is positioned
    erroneously to the metadata area. A newly-allocated chunk is placed at
    the same location as the metadata area, resulting in data or metadata
    corruption.
    
    This patch changes the code so that ps->next_free skips the metadata
    area when metadata are loaded in function read_exceptions.
    
    The patch also moves a piece of code from persistent_prepare_exception
    to a separate function skip_metadata to avoid code duplication.
    
    CVE-2013-4299
    Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
    Cc: stable@vger.kernel.org
    Cc: Mike Snitzer <snitzer@redhat.com>
    Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
    (back ported from commit e9c6a182)
    Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
    Acked-by: default avatarStefan Bader <stefan.bader@canonical.com>
    Signed-off-by: default avatarTim Gardner <tim.gardner@canonical.com>
    Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
    1b3b362f
dm-snap-persistent.c 17.5 KB