From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Richard Weinberger <richard@nod.at>,
Boris Brezillon <boris.brezillon@free-electrons.com>
Subject: [PATCH 3.10 23/24] ubi: Fix out of bounds write in volume update code
Date: Mon, 7 Mar 2016 15:45:25 -0800 [thread overview]
Message-ID: <20160307234354.025289668@linuxfoundation.org> (raw)
In-Reply-To: <20160307234350.601613335@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit e4f6daac20332448529b11f09388f1d55ef2084c upstream.
ubi_start_leb_change() allocates too few bytes.
ubi_more_leb_change_data() will write up to req->upd_bytes +
ubi->min_io_size bytes.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/ubi/upd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mtd/ubi/upd.c
+++ b/drivers/mtd/ubi/upd.c
@@ -193,7 +193,7 @@ int ubi_start_leb_change(struct ubi_devi
vol->changing_leb = 1;
vol->ch_lnum = req->lnum;
- vol->upd_buf = vmalloc(req->bytes);
+ vol->upd_buf = vmalloc(ALIGN((int)req->bytes, ubi->min_io_size));
if (!vol->upd_buf)
return -ENOMEM;
next prev parent reply other threads:[~2016-03-07 23:45 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-07 23:45 [PATCH 3.10 00/24] 3.10.100-stable review Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 01/24] locks: fix unlock when fcntl_setlk races with a close Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 02/24] EDAC, mc_sysfs: Fix freeing bus name Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 03/24] CIFS: Fix SMB2+ interim response processing for read requests Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 04/24] x86/entry/compat: Add missing CLAC to entry_INT80_32 Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 05/24] drm/ast: Fix incorrect register check for DRAM width Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 06/24] libata: fix HDIO_GET_32BIT ioctl Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 07/24] libata: Align ata_devices id on a cacheline Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 08/24] PM / sleep / x86: Fix crash on graph trace through x86 suspend Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 09/24] Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin" Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 12/24] ALSA: ctl: Fix ioctls for X32 ABI Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 13/24] ALSA: rawmidi: Fix ioctls " Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 14/24] ALSA: timer: Fix ioctls for " Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 15/24] ALSA: seq: oss: Dont drain at closing a client Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 16/24] ALSA: hdspm: Fix wrong boolean ctl value accesses Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 17/24] ALSA: hdsp: " Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 18/24] ALSA: hdspm: Fix zero-division Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 19/24] ALSA: timer: Fix broken compat timer user status ioctl Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 20/24] USB: cp210x: Add ID for Parrot NMEA GPS Flight Recorder Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 21/24] USB: serial: option: add support for Telit LE922 PID 0x1045 Greg Kroah-Hartman
2016-03-07 23:45 ` [PATCH 3.10 22/24] USB: serial: option: add support for Quectel UC20 Greg Kroah-Hartman
2016-03-07 23:45 ` Greg Kroah-Hartman [this message]
2016-03-08 11:42 ` [PATCH 3.10 00/24] 3.10.100-stable review Guenter Roeck
2016-03-08 16:19 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160307234354.025289668@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=boris.brezillon@free-electrons.com \
--cc=linux-kernel@vger.kernel.org \
--cc=richard@nod.at \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).