exfat: fix the new buffer was not zeroed before writing

In exfat, not only the newly allocated space will be mapped as the new buffer, but also the space between ->valid_size and the file size will be mapped as the new buffer. If the buffer is mapped as new in ->write_begin(), it will be zeroed. But if the buffer has been mapped as new before ->write_begin(), ->write_begin() will not zero them, resulting in access to uninitialized data. So this commit uses folio_zero_new_buffers() to zero the new buffers after ->write_begin(). Fixes: 6630ea49103c ("exfat: move extend valid_size into ->page_mkwrite()") Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=91ae49e1c1a2634d20c0 Tested-by: [email protected] Signed-off-by: Yuezhang Mo <[email protected]> Signed-off-by: Namjae Jeon <[email protected]>
namjaejeon · Dec 17, 2024 · 8dd285a · 8dd285a
1 parent 487c51f
commit 8dd285a
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/file.c b/file.c
@@ -643,6 +643,7 @@ static int exfat_extend_valid_size(struct file *file, loff_t new_valid_size)
 #else
 		struct page *page = NULL;
 #endif
+		unsigned long off;
 
 		len = PAGE_SIZE - (pos & (PAGE_SIZE - 1));
 		if (pos + len > new_valid_size)
@@ -660,6 +661,18 @@ static int exfat_extend_valid_size(struct file *file, loff_t new_valid_size)
 		if (err)
 			goto out;
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 12, 0)
+		off = offset_in_folio(folio, pos);
+		folio_zero_new_buffers(folio, off, off + len);
+#else
+		off = offset_in_page(pos);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 5, 0)
+		folio_zero_new_buffers(page_folio(page), off, off + len);
+#else
+		page_zero_new_buffers(page, off, off + len);
+#endif
+#endif
+
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 12, 0)
 		err = ops->write_end(file, mapping, pos, len, len, folio, NULL);
 #else
@@ -673,6 +686,8 @@ static int exfat_extend_valid_size(struct file *file, loff_t new_valid_size)
 		cond_resched();
 	}
 
+	return 0;
+
 out:
 	return err;
 }