From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933118AbbIYTk5 (ORCPT ); Fri, 25 Sep 2015 15:40:57 -0400 Received: from a.ns.miles-group.at ([95.130.255.143]:11950 "EHLO radon.swed.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932976AbbIYTkz (ORCPT ); Fri, 25 Sep 2015 15:40:55 -0400 Subject: Re: [PATCH] UBI: Validate data_size To: David Gstir References: <1442959087-9820-1-git-send-email-richard@nod.at> <2909A36F-2B40-424F-9861-BB992DB2B2BF@sigma-star.at> Cc: linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org From: Richard Weinberger Message-ID: <5605A344.20200@nod.at> Date: Fri, 25 Sep 2015 21:40:52 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: <2909A36F-2B40-424F-9861-BB992DB2B2BF@sigma-star.at> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am 24.09.2015 um 12:37 schrieb David Gstir: > >> On 22.09.2015, at 23:58, Richard Weinberger wrote: >> >> Make sure that data_size is less than LEB size. >> Otherwise a handcrafted UBI image is able to trigger >> an out of bounds memory access in ubi_compare_lebs(). >> >> Cc: stable@vger.kernel.org >> Signed-off-by: Richard Weinberger >> --- >> drivers/mtd/ubi/io.c | 5 +++++ >> 1 file changed, 5 insertions(+) >> >> diff --git a/drivers/mtd/ubi/io.c b/drivers/mtd/ubi/io.c >> index 5bbd1f0..1fc23e4 100644 >> --- a/drivers/mtd/ubi/io.c >> +++ b/drivers/mtd/ubi/io.c >> @@ -926,6 +926,11 @@ static int validate_vid_hdr(const struct ubi_device *ubi, >> goto bad; >> } >> >> + if (data_size > ubi->leb_size) { >> + ubi_err(ubi, "bad data_size"); >> + goto bad; >> + } >> + > > Nice catch! > > Reviewed-by: David Gstir Applied and queued for 4.3-rc. Thanks, //richard