Commit 1b3b362f authored by Mikulas Patocka's avatar Mikulas Patocka Committed by Willy Tarreau

dm snapshot: fix data corruption

CVE-2013-4299

BugLink: http://bugs.launchpad.net/bugs/1241769

This patch fixes a particular type of data corruption that has been
encountered when loading a snapshot's metadata from disk.

When we allocate a new chunk in persistent_prepare, we increment
ps->next_free and we make sure that it doesn't point to a metadata area
by further incrementing it if necessary.

When we load metadata from disk on device activation, ps->next_free is
positioned after the last used data chunk. However, if this last used
data chunk is followed by a metadata area, ps->next_free is positioned
erroneously to the metadata area. A newly-allocated chunk is placed at
the same location as the metadata area, resulting in data or metadata
corruption.

This patch changes the code so that ps->next_free skips the metadata
area when metadata are loaded in function read_exceptions.

The patch also moves a piece of code from persistent_prepare_exception
to a separate function skip_metadata to avoid code duplication.

CVE-2013-4299
Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Cc: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
(back ported from commit e9c6a182)
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
Acked-by: default avatarStefan Bader <stefan.bader@canonical.com>
Signed-off-by: default avatarTim Gardner <tim.gardner@canonical.com>
Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
parent 74fbc288
...@@ -252,6 +252,14 @@ static chunk_t area_location(struct pstore *ps, chunk_t area) ...@@ -252,6 +252,14 @@ static chunk_t area_location(struct pstore *ps, chunk_t area)
return 1 + ((ps->exceptions_per_area + 1) * area); return 1 + ((ps->exceptions_per_area + 1) * area);
} }
static void skip_metadata(struct pstore *ps)
{
uint32_t stride = ps->exceptions_per_area + 1;
chunk_t next_free = ps->next_free;
if (sector_div(next_free, stride) == 1)
ps->next_free++;
}
/* /*
* Read or write a metadata area. Remembering to skip the first * Read or write a metadata area. Remembering to skip the first
* chunk which holds the header. * chunk which holds the header.
...@@ -481,6 +489,8 @@ static int read_exceptions(struct pstore *ps, ...@@ -481,6 +489,8 @@ static int read_exceptions(struct pstore *ps,
ps->current_area--; ps->current_area--;
skip_metadata(ps);
return 0; return 0;
} }
...@@ -587,8 +597,6 @@ static int persistent_prepare_exception(struct dm_exception_store *store, ...@@ -587,8 +597,6 @@ static int persistent_prepare_exception(struct dm_exception_store *store,
struct dm_snap_exception *e) struct dm_snap_exception *e)
{ {
struct pstore *ps = get_info(store); struct pstore *ps = get_info(store);
uint32_t stride;
chunk_t next_free;
sector_t size = get_dev_size(store->cow->bdev); sector_t size = get_dev_size(store->cow->bdev);
/* Is there enough room ? */ /* Is there enough room ? */
...@@ -601,10 +609,8 @@ static int persistent_prepare_exception(struct dm_exception_store *store, ...@@ -601,10 +609,8 @@ static int persistent_prepare_exception(struct dm_exception_store *store,
* Move onto the next free pending, making sure to take * Move onto the next free pending, making sure to take
* into account the location of the metadata chunks. * into account the location of the metadata chunks.
*/ */
stride = (ps->exceptions_per_area + 1); ps->next_free++;
next_free = ++ps->next_free; skip_metadata(ps);
if (sector_div(next_free, stride) == 1)
ps->next_free++;
atomic_inc(&ps->pending_count); atomic_inc(&ps->pending_count);
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment