Re: [PATCH v2 1/2] jffs2: validate symlink size in jffs2_do_read_inode_internal()

public inbox for linux-mtd@lists.infradead.org
 help / color / mirror / Atom feed

From: Artem Bityutskiy <dedekind1@gmail.com>
To: Xi Wang <xi.wang@gmail.com>
Cc: linux-mtd@lists.infradead.org, David Woodhouse <dwmw2@infradead.org>
Subject: Re: [PATCH v2 1/2] jffs2: validate symlink size in jffs2_do_read_inode_internal()
Date: Sun, 29 Apr 2012 18:44:51 +0300	[thread overview]
Message-ID: <1335714291.1942.15.camel@koala> (raw)
In-Reply-To: <1335379523-31415-1-git-send-email-xi.wang@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 870 bytes --]

On Wed, 2012-04-25 at 14:45 -0400, Xi Wang wrote:
> `csize' is read from disk and thus needs validation.  Otherwise a bogus
> value 0xffffffff would turn the subsequent kmalloc(csize + 1, ...) into
> kmalloc(0, ...), leading to out-of-bounds write.
> 
> This patch limits `csize' to JFFS2_MAX_NAME_LEN, which is also used
> in jffs2_symlink().

I think your commit message is a not general enough because it talks
about 0xFFFFFFFF value, but there may be any other large value as well.
I've added the following cause to the commit message and pushed both
patches to l2-mtd.git, thanks! Please, verify.

The clause:

"Artem: we actually validate csize by checking CRC, so this 0xFFs cannot
come from empty flash region. But I guess an attacker could feed JFFS2
an image with random csize value, including 0xFFs."

-- 
Best Regards,
Artem Bityutskiy

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

next prev parent reply	other threads:[~2012-04-29 15:44 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-04-25 18:45 [PATCH v2 1/2] jffs2: validate symlink size in jffs2_do_read_inode_internal() Xi Wang
2012-04-25 18:45 ` [PATCH v2 2/2] jffs2: refactor csize usage " Xi Wang
2012-04-29 15:44 ` Artem Bityutskiy [this message]
2012-04-29 21:45   ` [PATCH v2 1/2] jffs2: validate symlink size " Xi Wang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1335714291.1942.15.camel@koala \
    --to=dedekind1@gmail.com \
    --cc=dwmw2@infradead.org \
    --cc=linux-mtd@lists.infradead.org \
    --cc=xi.wang@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox