Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]ext4: fix off-by-one errors in fast-commit block filling[EOL][EOL]Due to several different off-by-one errors, or perhaps due to a late[EOL]change in design that wasn't fully reflected in the code that was[EOL]actually merged, there are several very strange constraints on how[EOL]fast-commit blocks are filled with tlv entries:[EOL][EOL]- tlvs must start at least 10 bytes before the end of the block, even[EOL]  though the minimum tlv length is 8.  Otherwise, the replay code will[EOL]  ignore them.  (BUG: ext4_fc_reserve_space() could violate this[EOL]  requirement if called with a len of blocksize - 9 or blocksize - 8.[EOL]  Fortunately, this doesn't seem to happen currently.)[EOL][EOL]- tlvs must end at least 1 byte before the end of the block.  Otherwise[EOL]  the replay code will consider them to be invalid.  This quirk[EOL]  contributed to a bug (fixed by an earlier commit) where uninitialized[EOL]  memory was being leaked to disk in the last byte of blocks.[EOL][EOL]Also, strangely these constraints don't apply to the replay code in[EOL]e2fsprogs, which will accept any tlvs in the blocks (with no bounds[EOL]checks at all, but that is a separate issue...).[EOL][EOL]Given that this all seems to be a bug, let's fix it by just filling[EOL]blocks with tlv entries in the natural way.[EOL][EOL]Note that old kernels will be unable to replay fast-commit journals[EOL]created by kernels that have this commit.