From ad4c60c03da897ad2a0453b0ccd79e6b106f2112 Mon Sep 17 00:00:00 2001
From: millert <millert@openbsd.org>
Date: Sat, 13 Jan 2018 15:57:58 +0000
Subject: [PATCH] In ext2fs_write(), clear the buffer on uiomove() failure
 unless it was cleared on alloc just like we do in ffs_write().

---
 sys/ufs/ext2fs/ext2fs_readwrite.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/sys/ufs/ext2fs/ext2fs_readwrite.c b/sys/ufs/ext2fs/ext2fs_readwrite.c
index 55d2635b323..e58b2a20c5d 100644
--- a/sys/ufs/ext2fs/ext2fs_readwrite.c
+++ b/sys/ufs/ext2fs/ext2fs_readwrite.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ext2fs_readwrite.c,v 1.43 2018/01/08 16:16:16 millert Exp $	*/
+/*	$OpenBSD: ext2fs_readwrite.c,v 1.44 2018/01/13 15:57:58 millert Exp $	*/
 /*	$NetBSD: ext2fs_readwrite.c,v 1.16 2001/02/27 04:37:47 chs Exp $	*/
 
 /*-
@@ -323,6 +323,18 @@ ext2fs_write(void *v)
 			xfersize = size;
 
 		error = uiomove(bp->b_data + blkoffset, xfersize, uio);
+		/*
+		 * If the buffer is not already filled and we encounter an
+		 * error while trying to fill it, we have to clear out any
+		 * garbage data from the pages instantiated for the buffer.
+		 * If we do not, a failed uiomove() during a write can leave
+		 * the prior contents of the pages exposed to a userland mmap.
+		 *
+		 * Note that we don't need to clear buffers that were
+		 * allocated with the B_CLRBUF flag set.
+		 */
+		if (error != 0 && !(flags & B_CLRBUF))
+			memset(bp->b_data + blkoffset, 0, xfersize);
 #if 0
 		if (ioflag & IO_NOCACHE)
 			bp->b_flags |= B_NOCACHE;
-- 
2.20.1