Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966862AbcCPLHQ (ORCPT ); Wed, 16 Mar 2016 07:07:16 -0400 Received: from mx2.suse.de ([195.135.220.15]:47249 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S966616AbcCPLAA (ORCPT ); Wed, 16 Mar 2016 07:00:00 -0400 X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "References" From: Jiri Slaby To: stable@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Richard Weinberger , Jiri Slaby Subject: [PATCH 3.12 35/58] ubi: Fix out of bounds write in volume update code Date: Wed, 16 Mar 2016 11:59:20 +0100 Message-Id: <1cfdd759db4f056477b72357df2f95786a52b541.1458125909.git.jslaby@suse.cz> X-Mailer: git-send-email 2.7.3 In-Reply-To: <377b71e18f20d69b0df301ce7040554f40ba9651.1458125909.git.jslaby@suse.cz> References: <377b71e18f20d69b0df301ce7040554f40ba9651.1458125909.git.jslaby@suse.cz> In-Reply-To: References: Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1034 Lines: 34 From: Richard Weinberger 3.12-stable review patch. If anyone has any objections, please let me know. =============== commit e4f6daac20332448529b11f09388f1d55ef2084c upstream. ubi_start_leb_change() allocates too few bytes. ubi_more_leb_change_data() will write up to req->upd_bytes + ubi->min_io_size bytes. Signed-off-by: Richard Weinberger Reviewed-by: Boris Brezillon Signed-off-by: Jiri Slaby --- drivers/mtd/ubi/upd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/ubi/upd.c b/drivers/mtd/ubi/upd.c index 2a1b6e037e1a..0134ba32a057 100644 --- a/drivers/mtd/ubi/upd.c +++ b/drivers/mtd/ubi/upd.c @@ -193,7 +193,7 @@ int ubi_start_leb_change(struct ubi_device *ubi, struct ubi_volume *vol, vol->changing_leb = 1; vol->ch_lnum = req->lnum; - vol->upd_buf = vmalloc(req->bytes); + vol->upd_buf = vmalloc(ALIGN((int)req->bytes, ubi->min_io_size)); if (!vol->upd_buf) return -ENOMEM; -- 2.7.3