From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756024AbcBXOD2 (ORCPT ); Wed, 24 Feb 2016 09:03:28 -0500 Received: from down.free-electrons.com ([37.187.137.238]:38762 "EHLO mail.free-electrons.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751441AbcBXOD0 (ORCPT ); Wed, 24 Feb 2016 09:03:26 -0500 Date: Wed, 24 Feb 2016 15:03:14 +0100 From: Boris Brezillon To: Richard Weinberger Cc: linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, dedekind1@gmail.com Subject: Re: [PATCH] ubi: Fix out of bounds write in volume update code Message-ID: <20160224150314.3a35bdba@bbrezillon> In-Reply-To: <1456048383-27344-1-git-send-email-richard@nod.at> References: <1456048383-27344-1-git-send-email-richard@nod.at> X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.27; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, 21 Feb 2016 10:53:03 +0100 Richard Weinberger wrote: > ubi_start_leb_change() alloctes too few bytes. > ubi_more_leb_change_data() will write up to req->upd_bytes + > ubi->min_io_size bytes. > > Cc: stable@vger.kernel.org > Signed-off-by: Richard Weinberger Reviewed-by: Boris Brezillon > --- > drivers/mtd/ubi/upd.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/mtd/ubi/upd.c b/drivers/mtd/ubi/upd.c > index cfeaf0f..b7901ce 100644 > --- a/drivers/mtd/ubi/upd.c > +++ b/drivers/mtd/ubi/upd.c > @@ -193,7 +193,7 @@ int ubi_start_leb_change(struct ubi_device *ubi, struct ubi_volume *vol, > vol->changing_leb = 1; > vol->ch_lnum = req->lnum; > > - vol->upd_buf = vmalloc(req->bytes); > + vol->upd_buf = vmalloc(ALIGN((int)req->bytes, ubi->min_io_size)); > if (!vol->upd_buf) > return -ENOMEM; > -- Boris Brezillon, Free Electrons Embedded Linux and Kernel engineering http://free-electrons.com