| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1456048383-27344-1-git-send-email-richard@nod.at> Date: Sun, 21 Feb 2016 10:53:03 +0100 From: Richard Weinberger <richard@....at> To: linux-mtd@...ts.infradead.org Cc: dedekind1@...il.com, richard@....at, linux-kernel@...r.kernel.org, stable@...r.kernel.org Subject: [PATCH] ubi: Fix out of bounds write in volume update code ubi_start_leb_change() alloctes too few bytes. ubi_more_leb_change_data() will write up to req->upd_bytes + ubi->min_io_size bytes. Cc: stable@...r.kernel.org Signed-off-by: Richard Weinberger <richard@....at> --- drivers/mtd/ubi/upd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/ubi/upd.c b/drivers/mtd/ubi/upd.c index cfeaf0f..b7901ce 100644 --- a/drivers/mtd/ubi/upd.c +++ b/drivers/mtd/ubi/upd.c @@ -193,7 +193,7 @@ int ubi_start_leb_change(struct ubi_device *ubi, struct ubi_volume *vol, vol->changing_leb = 1; vol->ch_lnum = req->lnum; - vol->upd_buf = vmalloc(req->bytes); + vol->upd_buf = vmalloc(ALIGN((int)req->bytes, ubi->min_io_size)); if (!vol->upd_buf) return -ENOMEM; -- 1.8.4.5
Powered by blists - more mailing lists