diff options
author | Joern Engel <joern@logfs.org> | 2010-04-13 17:54:27 +0200 |
---|---|---|
committer | Joern Engel <joern@logfs.org> | 2010-04-13 17:54:27 +0200 |
commit | d3a03f8031000f8297823b80e36db536fd020884 (patch) | |
tree | d717a209e3cf2695d1a08c104296d0bd4544ee41 | |
parent | [LogFS] Prevent memory corruption on large deletes (diff) | |
download | linux-d3a03f8031000f8297823b80e36db536fd020884.tar.xz linux-d3a03f8031000f8297823b80e36db536fd020884.zip |
[LogFS] Plug 8 byte information leak
Within each journal segment, 8 bytes at offset 24 would remain
uninitialized.
Signed-off-by: Joern Engel <joern@logfs.org>
-rw-r--r-- | fs/logfs/journal.c | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/fs/logfs/journal.c b/fs/logfs/journal.c index 2c22a4ad5329..2957bfc21927 100644 --- a/fs/logfs/journal.c +++ b/fs/logfs/journal.c @@ -388,7 +388,10 @@ static void journal_get_erase_count(struct logfs_area *area) static int journal_erase_segment(struct logfs_area *area) { struct super_block *sb = area->a_sb; - struct logfs_segment_header sh; + union { + struct logfs_segment_header sh; + unsigned char c[ALIGN(sizeof(struct logfs_segment_header), 16)]; + } u; u64 ofs; int err; @@ -396,20 +399,21 @@ static int journal_erase_segment(struct logfs_area *area) if (err) return err; - sh.pad = 0; - sh.type = SEG_JOURNAL; - sh.level = 0; - sh.segno = cpu_to_be32(area->a_segno); - sh.ec = cpu_to_be32(area->a_erase_count); - sh.gec = cpu_to_be64(logfs_super(sb)->s_gec); - sh.crc = logfs_crc32(&sh, sizeof(sh), 4); + memset(&u, 0, sizeof(u)); + u.sh.pad = 0; + u.sh.type = SEG_JOURNAL; + u.sh.level = 0; + u.sh.segno = cpu_to_be32(area->a_segno); + u.sh.ec = cpu_to_be32(area->a_erase_count); + u.sh.gec = cpu_to_be64(logfs_super(sb)->s_gec); + u.sh.crc = logfs_crc32(&u.sh, sizeof(u.sh), 4); /* This causes a bug in segment.c. Not yet. */ //logfs_set_segment_erased(sb, area->a_segno, area->a_erase_count, 0); ofs = dev_ofs(sb, area->a_segno, 0); - area->a_used_bytes = ALIGN(sizeof(sh), 16); - logfs_buf_write(area, ofs, &sh, sizeof(sh)); + area->a_used_bytes = sizeof(u); + logfs_buf_write(area, ofs, &u, sizeof(u)); return 0; } |