Re: truncate shows non zero data beyond the end of the inode with MAP_SHARED

From: Andrea Arcangeli
Date: Fri Sep 17 2004 - 08:57:31 EST


On Fri, Sep 17, 2004 at 03:49:18PM +0200, Helge Hafting wrote:
> I am assuming that the "garbage" between i_size and the
> page boundary is stuff left over from whatever that
> memory page was used for earlier? If so, it could be
> 4095 bytes out of the 4096 that was used to cache some
> other file earlier. Possibly someone else's confidential file.
> Or a piece of some network package that was processed a while ago.

I see what you mean now, but this is not the case, the new page is
cleared by block_truncate_page, as Andrew pointed out. So when we get a
new partial page we zero out the content beyond the end of the inode.
It's when we extend again that we don't do anything on such partial page
previously processed and zeroed-out by block_truncate_page. So there
can't be some network data processed a while ago, or other random memory
content. It's just up to the application to be correct and not to write
its own data beyond the end of the i_size if it doesn't want this data
to hit disk (and other data will be written anyways below the i_size,
which has the same issue). So basically I don't see any security issue.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/