lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <62854804-c692-0e18-94af-67efd86af61e@huawei.com>
Date: Mon, 25 Nov 2024 21:41:51 +0800
From: Zhihao Cheng <chengzhihao1@...wei.com>
To: Denis Arefev <arefev@...mel.ru>, Richard Weinberger <richard@....at>
CC: Miquel Raynal <miquel.raynal@...tlin.com>, Vignesh Raghavendra
	<vigneshr@...com>, Artem Bityutskiy <Artem.Bityutskiy@...ia.com>,
	<linux-mtd@...ts.infradead.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] mtd: ubi: Added a check for ubi_num

在 2024/11/25 21:23, Denis Arefev 写道:
> Added a check for ubi_num for negative numbers
> If the variable ubi_num takes negative values then we get:
> 
> qemu-system-arm ... -append "ubi.mtd=0,0,0,-22222345" ...
> [    0.745065]  ubi_attach_mtd_dev from ubi_init+0x178/0x218
> [    0.745230]  ubi_init from do_one_initcall+0x70/0x1ac
> [    0.745344]  do_one_initcall from kernel_init_freeable+0x198/0x224
> [    0.745474]  kernel_init_freeable from kernel_init+0x18/0x134
> [    0.745600]  kernel_init from ret_from_fork+0x14/0x28
> [    0.745727] Exception stack(0x90015fb0 to 0x90015ff8)
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 897a316c9e6f ("UBI: handle attach ioctl")

Hi Denis,
I think the problem is imported by 
83ff59a066637a6c28844bbf43009459408240f4("UBI: support ubi_num on 
mtd.ubi command line").
> Signed-off-by: Denis Arefev <arefev@...mel.ru>
> ---
>   drivers/mtd/ubi/build.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
> index 30be4ed68fad..dae569f48b87 100644
> --- a/drivers/mtd/ubi/build.c
> +++ b/drivers/mtd/ubi/build.c
> @@ -920,7 +920,7 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num,
>   			return -ENFILE;
>   		}
>   	} else {
> -		if (ubi_num >= UBI_MAX_DEVICES)
> +		if (ubi_num < UBI_DEV_NUM_AUTO || ubi_num >= UBI_MAX_DEVICES)
>   			return -EINVAL;

The ioctl(UBI_IOCATT) already checks the 'ubi_num', so I prefer to add 
the missing check in ubi_mtd_param_parse().
>   
>   		/* Make sure ubi_num is not busy */
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ