From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Richard Weinberger <richard@nod.at>,
Zhihao Cheng <chengzhihao1@huawei.com>,
Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Subject: [PATCH 4.9 12/25] ubifs: wbuf: Dont leak kernel memory to flash
Date: Fri, 15 Jan 2021 13:27:43 +0100 [thread overview]
Message-ID: <20210115121957.285357494@linuxfoundation.org> (raw)
In-Reply-To: <20210115121956.679956165@linuxfoundation.org>
From: Richard Weinberger <richard@nod.at>
commit 20f1431160c6b590cdc269a846fc5a448abf5b98 upstream
Write buffers use a kmalloc()'ed buffer, they can leak
up to seven bytes of kernel memory to flash if writes are not
aligned.
So use ubifs_pad() to fill these gaps with padding bytes.
This was never a problem while scanning because the scanner logic
manually aligns node lengths and skips over these gaps.
Cc: <stable@vger.kernel.org>
Fixes: 1e51764a3c2ac05a2 ("UBIFS: add new flash file system")
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
[sudip: adjust context]
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ubifs/io.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/fs/ubifs/io.c
+++ b/fs/ubifs/io.c
@@ -331,7 +331,7 @@ void ubifs_pad(const struct ubifs_info *
{
uint32_t crc;
- ubifs_assert(pad >= 0 && !(pad & 7));
+ ubifs_assert(pad >= 0);
if (pad >= UBIFS_PAD_NODE_SZ) {
struct ubifs_ch *ch = buf;
@@ -721,6 +721,10 @@ int ubifs_wbuf_write_nolock(struct ubifs
* write-buffer.
*/
memcpy(wbuf->buf + wbuf->used, buf, len);
+ if (aligned_len > len) {
+ ubifs_assert(aligned_len - len < 8);
+ ubifs_pad(c, wbuf->buf + wbuf->used + len, aligned_len - len);
+ }
if (aligned_len == wbuf->avail) {
dbg_io("flush jhead %s wbuf to LEB %d:%d",
@@ -813,13 +817,18 @@ int ubifs_wbuf_write_nolock(struct ubifs
}
spin_lock(&wbuf->lock);
- if (aligned_len)
+ if (aligned_len) {
/*
* And now we have what's left and what does not take whole
* max. write unit, so write it to the write-buffer and we are
* done.
*/
memcpy(wbuf->buf, buf + written, len);
+ if (aligned_len > len) {
+ ubifs_assert(aligned_len - len < 8);
+ ubifs_pad(c, wbuf->buf + len, aligned_len - len);
+ }
+ }
if (c->leb_size - wbuf->offs >= c->max_write_size)
wbuf->size = c->max_write_size;
next prev parent reply other threads:[~2021-01-15 13:06 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-15 12:27 [PATCH 4.9 00/25] 4.9.252-rc1 review Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 01/25] target: bounds check XCOPY segment descriptor list Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 02/25] target: simplify XCOPY wwn->se_dev lookup helper Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 03/25] target: use XCOPY segment descriptor CSCD IDs Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 04/25] xcopy: loop over devices using idr helper Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 05/25] scsi: target: Fix XCOPY NAA identifier lookup Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 06/25] target: add XCOPY target/segment desc sense codes Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 07/25] powerpc: Fix incorrect stw{, ux, u, x} instructions in __set_pte_at Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 08/25] net: ip: always refragment ip defragmented packets Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 09/25] net: fix pmtu check in nopmtudisc mode Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 10/25] vmlinux.lds.h: Add PGO and AutoFDO input sections Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 11/25] drm/i915: Fix mismatch between misplaced vma check and vma insert Greg Kroah-Hartman
2021-01-15 12:27 ` Greg Kroah-Hartman [this message]
2021-01-15 12:27 ` [PATCH 4.9 13/25] spi: pxa2xx: Fix use-after-free on unbind Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 14/25] ARM: OMAP2+: omap_device: fix idling of devices during probe Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 15/25] cpufreq: powernow-k8: pass policy rather than use cpufreq_cpu_get() Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 16/25] dmaengine: xilinx_dma: check dma_async_device_register return value Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 17/25] dmaengine: xilinx_dma: fix mixed_enum_type coverity warning Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 18/25] wil6210: select CONFIG_CRC32 Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 19/25] block: rsxx: " Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 20/25] iommu/intel: Fix memleak in intel_irq_remapping_alloc Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 21/25] net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 22/25] wan: ds26522: select CONFIG_BITREVERSE Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 23/25] KVM: arm64: Dont access PMCR_EL0 when no PMU is available Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 24/25] block: fix use-after-free in disk_part_iter_next Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 25/25] net: drop bogus skb with CHECKSUM_PARTIAL and offset beyond end of trimmed packet Greg Kroah-Hartman
2021-01-15 16:19 ` [PATCH 4.9 00/25] 4.9.252-rc1 review Jon Hunter
2021-01-15 21:14 ` Shuah Khan
2021-01-15 21:18 ` Guenter Roeck
2021-01-16 7:41 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210115121957.285357494@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chengzhihao1@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=richard@nod.at \
--cc=stable@vger.kernel.org \
--cc=sudipm.mukherjee@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.