From 0d60ec82edfa3aae0b5ba48e489151582f0150a6 Mon Sep 17 00:00:00 2001 From: millert Date: Sat, 13 Jan 2018 15:56:02 +0000 Subject: [PATCH] Add comment describing why we need to clear the buffer if uiomove() fails, adapted from FreeBSD. Also avoid clearing the buffer if it was cleared when allocated. OK deraadt@ otto@ --- sys/ufs/ffs/ffs_vnops.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/sys/ufs/ffs/ffs_vnops.c b/sys/ufs/ffs/ffs_vnops.c index 87cd37de921..0d14649adf0 100644 --- a/sys/ufs/ffs/ffs_vnops.c +++ b/sys/ufs/ffs/ffs_vnops.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ffs_vnops.c,v 1.89 2017/12/30 20:47:00 guenther Exp $ */ +/* $OpenBSD: ffs_vnops.c,v 1.90 2018/01/13 15:56:02 millert Exp $ */ /* $NetBSD: ffs_vnops.c,v 1.7 1996/05/11 18:27:24 mycroft Exp $ */ /* @@ -357,8 +357,17 @@ ffs_write(void *v) xfersize = size; error = uiomove(bp->b_data + blkoffset, xfersize, uio); - - if (error != 0) + /* + * If the buffer is not already filled and we encounter an + * error while trying to fill it, we have to clear out any + * garbage data from the pages instantiated for the buffer. + * If we do not, a failed uiomove() during a write can leave + * the prior contents of the pages exposed to a userland mmap. + * + * Note that we don't need to clear buffers that were + * allocated with the B_CLRBUF flag set. + */ + if (error != 0 && !(flags & B_CLRBUF)) memset(bp->b_data + blkoffset, 0, xfersize); #if 0 -- 2.20.1