| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Sep 2015 12:37:49 +0200
From: David Gstir <david@...ma-star.at>
To: Richard Weinberger <richard@....at>
Cc: linux-mtd@...ts.infradead.org, linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Subject: Re: [PATCH] UBI: Validate data_size
> On 22.09.2015, at 23:58, Richard Weinberger <richard@....at> wrote:
>
> Make sure that data_size is less than LEB size.
> Otherwise a handcrafted UBI image is able to trigger
> an out of bounds memory access in ubi_compare_lebs().
>
> Cc: stable@...r.kernel.org
> Signed-off-by: Richard Weinberger <richard@....at>
> ---
> drivers/mtd/ubi/io.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/mtd/ubi/io.c b/drivers/mtd/ubi/io.c
> index 5bbd1f0..1fc23e4 100644
> --- a/drivers/mtd/ubi/io.c
> +++ b/drivers/mtd/ubi/io.c
> @@ -926,6 +926,11 @@ static int validate_vid_hdr(const struct ubi_device *ubi,
> goto bad;
> }
>
> + if (data_size > ubi->leb_size) {
> + ubi_err(ubi, "bad data_size");
> + goto bad;
> + }
> +
Nice catch!
Reviewed-by: David Gstir <david@...ma-star.at>--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists