| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 Aug 2018 14:09:05 +0800
From: Liu Song <liu.song11@....com.cn>
To: dedekind1@...il.com, richard@....at
Cc: linux-mtd@...ts.infradead.org, linux-kernel@...r.kernel.org,
liu.song11@....com.cn, jiang.biao2@....com.cn,
zhong.weidong@....com.cn
Subject: [PATCH] mtd/ubi: Make sure to read volume record from LEB 0 or LEB 1
From: fishland <liu.song11@....com.cn>
Even though we protect on-flash data by CRC checksums,
we still don't trust the media. If lnum is not 0 or 1,
access exceed array boundary can lead to bad situation.
Signed-off-by: Liu Song <liu.song11@....com.cn>
Reviewed-by: Jiang Biao <jiang.biao2@....com.cn>
---
drivers/mtd/ubi/vtbl.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/mtd/ubi/vtbl.c b/drivers/mtd/ubi/vtbl.c
index 94d7a86..64a2937 100644
--- a/drivers/mtd/ubi/vtbl.c
+++ b/drivers/mtd/ubi/vtbl.c
@@ -410,6 +410,10 @@ static struct ubi_vtbl_record *process_lvol(struct ubi_device *ubi,
/* Read both LEB 0 and LEB 1 into memory */
ubi_rb_for_each_entry(rb, aeb, &av->root, u.rb) {
+ if (aeb->lnum != 0 && aeb->lnum != 1) {
+ ubi_warn(ubi, "volume store in LEB %d", aeb->lnum);
+ continue;
+ }
leb[aeb->lnum] = vzalloc(ubi->vtbl_size);
if (!leb[aeb->lnum]) {
err = -ENOMEM;
--
2.1.0.GIT
Powered by blists - more mailing lists