Bug 761410

Summary: kernel: loop: prevent information leak after failed read
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: arozansk, bhu, dhoward, fhrbata, jkacur, kernel-mgr, lgoncalv, nobody, rt-maint, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 21:50:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 761415, 761416, 761417, 761418, 761419, 761420, 782687    
Bug Blocks: 761394    

Description Eugene Teo (Security Response) 2011-12-08 09:34:56 UTC 
If read was not fully successful we have to fail whole bio to prevent
information leak of old pages

dd if=/dev/zero of=./file bs=1M count=1
losetup /dev/loop0 ./file -o 4096
truncate -s 0 ./file

OOps loop offset is now beyond i_size, so read will silently fail.
So bio's pages would not be cleared, may which result in information leak.

hexdump -C /dev/loop0

Upstream commit:
http://git.kernel.org/linus/3bb9068278ea524581237abadd41377a14717e7d (v3.2-rc3)
Comment 3 Eugene Teo (Security Response) 2012-01-05 04:21:40 UTC 
Not a security issue; fixing this as normal bugs.
Comment 4 Eugene Teo (Security Response) 2012-01-05 04:23:00 UTC 
$ ll /dev/loop*
brw-rw----. 1 root disk 7, 0 Dec  7 12:28 /dev/loop0
brw-rw----. 1 root disk 7, 1 Nov 22 18:58 /dev/loop1
brw-rw----. 1 root disk 7, 2 Nov 22 18:58 /dev/loop2
brw-rw----. 1 root disk 7, 3 Nov 22 18:58 /dev/loop3
Comment 5 Eugene Teo (Security Response) 2012-01-18 07:14:27 UTC 
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 782687]