git: 7d08a7e6908b - releng/13.2 - msdosfs: zero partially valid extended cluster

From: Gordon Tetlow <gordon_at_FreeBSD.org>
Date: Tue, 03 Oct 2023 22:13:57 UTC 
The branch releng/13.2 has been updated by gordon:

URL: https://cgit.FreeBSD.org/src/commit/?id=7d08a7e6908b3ffb72061b7517ed29814d62355b

commit 7d08a7e6908b3ffb72061b7517ed29814d62355b
Author:     Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2023-10-03 21:23:40 +0000
Commit:     Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2023-10-03 21:23:40 +0000

    msdosfs: zero partially valid extended cluster
    
    Approved by:    so
    Security:       FreeBSD-SA-23:12.msdosfs
    Security:       CVE-2023-5368
---
 sys/fs/msdosfs/msdosfs_denode.c | 53 +++++++++++++++++++++++++++++++++--------
 1 file changed, 43 insertions(+), 10 deletions(-)

diff --git a/sys/fs/msdosfs/msdosfs_denode.c b/sys/fs/msdosfs/msdosfs_denode.c
index 030c96d6d354..37d23f2ce60b 100644
--- a/sys/fs/msdosfs/msdosfs_denode.c
+++ b/sys/fs/msdosfs/msdosfs_denode.c
@@ -384,10 +384,8 @@ detrunc(struct denode *dep, u_long length, int flags, struct ucred *cred)
 		return (EINVAL);
 	}
 
-	if (dep->de_FileSize < length) {
-		vnode_pager_setsize(DETOV(dep), length);
+	if (dep->de_FileSize < length)
 		return (deextend(dep, length, cred));
-	}
 
 	/*
 	 * If the desired length is 0 then remember the starting cluster of
@@ -496,13 +494,16 @@ int
 deextend(struct denode *dep, u_long length, struct ucred *cred)
 {
 	struct msdosfsmount *pmp = dep->de_pmp;
+	struct vnode *vp = DETOV(dep);
+	struct buf *bp;
+	off_t eof_clusteroff;
 	u_long count;
 	int error;
 
 	/*
 	 * The root of a DOS filesystem cannot be extended.
 	 */
-	if ((DETOV(dep)->v_vflag & VV_ROOT) && !FAT32(pmp))
+	if ((vp->v_vflag & VV_ROOT) != 0 && !FAT32(pmp))
 		return (EINVAL);
 
 	/*
@@ -522,15 +523,47 @@ deextend(struct denode *dep, u_long length, struct ucred *cred)
 		if (count > pmp->pm_freeclustercount)
 			return (ENOSPC);
 		error = extendfile(dep, count, NULL, NULL, DE_CLEAR);
-		if (error) {
-			/* truncate the added clusters away again */
-			(void) detrunc(dep, dep->de_FileSize, 0, cred);
-			return (error);
-		}
+		if (error != 0)
+			goto rewind;
 	}
+
+	/*
+	 * For the case of cluster size larger than the page size, we
+	 * need to ensure that the possibly dirty partial buffer at
+	 * the old end of file is not filled with invalid pages by
+	 * extension.  Otherwise it has a contradictory state of
+	 * B_CACHE | B_DELWRI but with invalid pages, and cannot be
+	 * neither written out nor validated.
+	 *
+	 * Fix it by proactively clearing extended pages.  Need to do
+	 * both vfs_bio_clrbuf() to mark pages valid, and to zero
+	 * actual buffer content which might exist in the tail of the
+	 * already valid cluster.
+	 */
+	error = bread(vp, de_cluster(pmp, dep->de_FileSize), pmp->pm_bpcluster,
+	    NOCRED, &bp);
+	if (error != 0)
+		goto rewind;
+	vfs_bio_clrbuf(bp);
+	eof_clusteroff = de_cn2off(pmp, de_cluster(pmp, dep->de_FileSize));
+	vfs_bio_bzero_buf(bp, dep->de_FileSize - eof_clusteroff,
+	    pmp->pm_bpcluster - dep->de_FileSize + eof_clusteroff);
+	if (!DOINGASYNC(vp))
+		(void)bwrite(bp);
+	else if (vm_page_count_severe() || buf_dirty_count_severe())
+		bawrite(bp);
+	else
+		bdwrite(bp);
+
+	vnode_pager_setsize(vp, length);
 	dep->de_FileSize = length;
 	dep->de_flag |= DE_UPDATE | DE_MODIFIED;
-	return (deupdat(dep, !DOINGASYNC(DETOV(dep))));
+	return (deupdat(dep, !DOINGASYNC(vp)));
+
+rewind:
+	/* truncate the added clusters away again */
+	(void)detrunc(dep, dep->de_FileSize, 0, cred);
+	return (error);
 }
 
 /*