[PATCHv2 2/2] zram: clear trailing bytes of compressed writeback pages

Next message: Hui Zhu: "[RFC PATCH bpf-next v7 09/11] selftests/bpf: Add test for memcg_bpf_ops hierarchies"
Previous message: Sergey Senozhatsky: "[PATCHv2 1/2] zram: do not leak blk idx at the end of writeback"
In reply to: Sergey Senozhatsky: "[PATCHv2 1/2] zram: do not leak blk idx at the end of writeback"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sergey Senozhatsky

Date: Mon May 25 2026 - 22:31:37 EST

When compressed writeback is available writtenback pages
contain "garbage" in PAGE_SIZE - obj_size trailing bytes.
That "garbage" is, basically, whatever data that page held
before we got it for writeback. To get advantage of it an
attacker needs to be able to read from active backing swap
device, which is already catastrophic. Still, just in case,
zero out those trailing bytes before writeback to a backing
device so that we only store swap-ed out data there.

Fixes: d38fab605c66 ("zram: introduce compressed data writeback")
Suggested-by: Brian Geffon <bgeffon@xxxxxxxxxx>
Signed-off-by: Sergey Senozhatsky <senozhatsky@xxxxxxxxxxxx>
---
drivers/block/zram/zram_drv.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c
index 602abfe23797..7917fc7a2a29 100644
--- a/drivers/block/zram/zram_drv.c
+++ b/drivers/block/zram/zram_drv.c
@@ -2134,6 +2134,8 @@ static int read_from_zspool_raw(struct zram *zram, struct page *page, u32 index)
zs_obj_read_end(zram->mem_pool, handle, size, src);
zcomp_stream_put(zstrm);

+ memzero_page(page, size, PAGE_SIZE - size);
+
return 0;
}
#endif
--
2.54.0.746.g67dd491aae-goog