fuse: Initialize beyond-EOF page contents before setting uptodate

JIRA: https://issues.redhat.com/browse/RHEL-56932
CVE: CVE-2024-44947

commit 3c0da3d163eb32f1f91891efaade027fa9b245b9
Author: Jann Horn <jannh@google.com>
Date:   Tue Aug 6 21:51:42 2024 +0200

    fuse: Initialize beyond-EOF page contents before setting uptodate

    fuse_notify_store(), unlike fuse_do_readpage(), does not enable page
    zeroing (because it can be used to change partial page contents).

    So fuse_notify_store() must be more careful to fully initialize page
    contents (including parts of the page that are beyond end-of-file)
    before marking the page uptodate.

    The current code can leave beyond-EOF page contents uninitialized, which
    makes these uninitialized page contents visible to userspace via mmap().

    This is an information leak, but only affects systems which do not
    enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the
    corresponding kernel command line parameter).

    Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2574
    Cc: stable@kernel.org
    Fixes: a1d75f2582 ("fuse: add store request")
    Signed-off-by: Jann Horn <jannh@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>

fs/fuse/dev.c

@@ -1612,9 +1612,11 @@ static int fuse_notify_store(struct fuse_conn *fc, unsigned int size,
 
 		this_num = min_t(unsigned, num, PAGE_SIZE - offset);
 		err = fuse_copy_page(cs, &page, offset, this_num, 0);
-		if (!err && offset == 0 &&
-		    (this_num == PAGE_SIZE || file_size == end))
+		if (!PageUptodate(page) && !err && offset == 0 &&
+		    (this_num == PAGE_SIZE || file_size == end)) {
+			zero_user_segment(page, this_num, PAGE_SIZE);
 			SetPageUptodate(page);
+		}
 		unlock_page(page);
 		put_page(page);