git.itanic.dy.fi Git - linux-stable/commit

author	Mikulas Patocka <mpatocka@redhat.com>
	Mon, 21 Oct 2013 11:59:30 +0000 (12:59 +0100)
committer	Willy Tarreau <w@1wt.eu>
	Mon, 19 May 2014 05:54:31 +0000 (07:54 +0200)
commit	1b3b362f84f5f2dd62d180447ba1a1681f5d993a
tree	d9e2346803c089256aadc1f5ffc9e3d5cf088a54	tree \| snapshot
parent	74fbc288d30a6da65187bded5834f36097fd738e	commit \| diff

dm snapshot: fix data corruption

CVE-2013-4299

BugLink: http://bugs.launchpad.net/bugs/1241769
This patch fixes a particular type of data corruption that has been
encountered when loading a snapshot's metadata from disk.

When we allocate a new chunk in persistent_prepare, we increment
ps->next_free and we make sure that it doesn't point to a metadata area
by further incrementing it if necessary.

When we load metadata from disk on device activation, ps->next_free is
positioned after the last used data chunk. However, if this last used
data chunk is followed by a metadata area, ps->next_free is positioned
erroneously to the metadata area. A newly-allocated chunk is placed at
the same location as the metadata area, resulting in data or metadata
corruption.

This patch changes the code so that ps->next_free skips the metadata
area when metadata are loaded in function read_exceptions.

The patch also moves a piece of code from persistent_prepare_exception
to a separate function skip_metadata to avoid code duplication.

CVE-2013-4299

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Cc: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
(back ported from commit e9c6a182649f4259db704ae15a91ac820e63b0ca)
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>