From: Richard Weinberger <richard@nod.at>
To: David Gstir <david@sigma-star.at>
Cc: linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] UBI: Validate data_size
Date: Fri, 25 Sep 2015 21:40:52 +0200 [thread overview]
Message-ID: <5605A344.20200@nod.at> (raw)
In-Reply-To: <2909A36F-2B40-424F-9861-BB992DB2B2BF@sigma-star.at>
Am 24.09.2015 um 12:37 schrieb David Gstir:
>
>> On 22.09.2015, at 23:58, Richard Weinberger <richard@nod.at> wrote:
>>
>> Make sure that data_size is less than LEB size.
>> Otherwise a handcrafted UBI image is able to trigger
>> an out of bounds memory access in ubi_compare_lebs().
>>
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Richard Weinberger <richard@nod.at>
>> ---
>> drivers/mtd/ubi/io.c | 5 +++++
>> 1 file changed, 5 insertions(+)
>>
>> diff --git a/drivers/mtd/ubi/io.c b/drivers/mtd/ubi/io.c
>> index 5bbd1f0..1fc23e4 100644
>> --- a/drivers/mtd/ubi/io.c
>> +++ b/drivers/mtd/ubi/io.c
>> @@ -926,6 +926,11 @@ static int validate_vid_hdr(const struct ubi_device *ubi,
>> goto bad;
>> }
>>
>> + if (data_size > ubi->leb_size) {
>> + ubi_err(ubi, "bad data_size");
>> + goto bad;
>> + }
>> +
>
> Nice catch!
>
> Reviewed-by: David Gstir <david@sigma-star.at>
Applied and queued for 4.3-rc.
Thanks,
//richard
prev parent reply other threads:[~2015-09-25 19:41 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-22 21:58 [PATCH] UBI: Validate data_size Richard Weinberger
2015-09-24 10:37 ` David Gstir
2015-09-25 19:40 ` Richard Weinberger [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5605A344.20200@nod.at \
--to=richard@nod.at \
--cc=david@sigma-star.at \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.