From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lithops.sigma-star.at ([195.201.40.130]:34194 "EHLO lithops.sigma-star.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728849AbeJEXYK (ORCPT ); Fri, 5 Oct 2018 19:24:10 -0400 From: Richard Weinberger To: Sasha Levin Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org, Sasha Levin Subject: Re: [PATCH AUTOSEL 3.18 6/6] ubifs: Check for name being NULL while mounting Date: Fri, 05 Oct 2018 18:24:42 +0200 Message-ID: <4196827.3PtsAkI51k@blindfold> In-Reply-To: <20181005161750.20823-6-sashal@kernel.org> References: <20181005161750.20823-1-sashal@kernel.org> <20181005161750.20823-6-sashal@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: stable-owner@vger.kernel.org List-ID: Sasha, Am Freitag, 5. Oktober 2018, 18:17:50 CEST schrieb Sasha Levin: > From: Richard Weinberger > > [ Upstream commit 37f31b6ca4311b94d985fb398a72e5399ad57925 ] > > The requested device name can be NULL or an empty string. > Check for that and refuse to continue. UBIFS has to do this manually > since we cannot use mount_bdev(), which checks for this condition. > > Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system") > Reported-by: syzbot+38bd0f7865e5c6379280@syzkaller.appspotmail.com > Signed-off-by: Richard Weinberger > Signed-off-by: Sasha Levin I'm not sure whether it makes sense to apply this patch to stable. 1. You need to be the real root to hit this code path. 2. Access is read-only, for an attacker it is useless. If we look at the code: if (name[0] != 'u' || name[1] != 'b' || name[2] != 'i') return ERR_PTR(-EINVAL); /* ubi:NAME method */ if ((name[3] == ':' || name[3] == '!') && name[4] != '\0') name can be NULL, so we access just a few bytes. Thanks, //richard