| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8267e170-e3ae-06dd-c859-17712785071a@gmail.com>
Date: Tue, 3 Jan 2017 03:22:28 +0100
From: Marek Vasut <marek.vasut@...il.com>
To: "Jason A. Donenfeld" <Jason@...c4.com>,
David Woodhouse <dwmw2@...radead.org>,
Brian Norris <computersforpeace@...il.com>,
linux-mtd@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] mtd/redboot: avoid null pointer deref
On 12/22/2016 12:25 AM, Jason A. Donenfeld wrote:
> By giving a bogus partition name, it's possible to trigger a null
> pointer dereference.
>
> Signed-off-by: Jason A. Donenfeld <Jason@...c4.com>
Nice catch. It'd be great to have the condition which can be used to
trigger this problem in the commit message. I presume this happens if
buf[i].name[0] = 0xff for all $i, right ?
So please expand the explanation and add my Ack for V2:
Acked-by: Marek Vasut <marek.vasut@...il.com>
Thanks
> ---
> drivers/mtd/redboot.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/mtd/redboot.c b/drivers/mtd/redboot.c
> index 7623ac5fc586..53949ef80d36 100644
> --- a/drivers/mtd/redboot.c
> +++ b/drivers/mtd/redboot.c
> @@ -212,6 +212,10 @@ static int parse_redboot_partitions(struct mtd_info *master,
>
> nrparts++;
> }
> + if (!fl) {
> + ret = -EINVAL;
> + goto out;
> + }
> #ifdef CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED
> if (fl->img->flash_base) {
> nrparts++;
>
--
Best regards,
Marek Vasut
Powered by blists - more mailing lists