| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160224150314.3a35bdba@bbrezillon> Date: Wed, 24 Feb 2016 15:03:14 +0100 From: Boris Brezillon <boris.brezillon@...e-electrons.com> To: Richard Weinberger <richard@....at> Cc: linux-mtd@...ts.infradead.org, linux-kernel@...r.kernel.org, stable@...r.kernel.org, dedekind1@...il.com Subject: Re: [PATCH] ubi: Fix out of bounds write in volume update code On Sun, 21 Feb 2016 10:53:03 +0100 Richard Weinberger <richard@....at> wrote: > ubi_start_leb_change() alloctes too few bytes. > ubi_more_leb_change_data() will write up to req->upd_bytes + > ubi->min_io_size bytes. > > Cc: stable@...r.kernel.org > Signed-off-by: Richard Weinberger <richard@....at> Reviewed-by: Boris Brezillon <boris.brezillon@...e-electrons.com> > --- > drivers/mtd/ubi/upd.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/mtd/ubi/upd.c b/drivers/mtd/ubi/upd.c > index cfeaf0f..b7901ce 100644 > --- a/drivers/mtd/ubi/upd.c > +++ b/drivers/mtd/ubi/upd.c > @@ -193,7 +193,7 @@ int ubi_start_leb_change(struct ubi_device *ubi, struct ubi_volume *vol, > vol->changing_leb = 1; > vol->ch_lnum = req->lnum; > > - vol->upd_buf = vmalloc(req->bytes); > + vol->upd_buf = vmalloc(ALIGN((int)req->bytes, ubi->min_io_size)); > if (!vol->upd_buf) > return -ENOMEM; > -- Boris Brezillon, Free Electrons Embedded Linux and Kernel engineering http://free-electrons.com
Powered by blists - more mailing lists