Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753593AbcDRLDC (ORCPT ); Mon, 18 Apr 2016 07:03:02 -0400 Received: from mail.kernel.org ([198.145.29.136]:35155 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751335AbcDRKug (ORCPT ); Mon, 18 Apr 2016 06:50:36 -0400 From: lizf@kernel.org To: stable@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Richard Weinberger , Zefan Li Subject: [PATCH 3.4 65/92] UBI: Validate data_size Date: Mon, 18 Apr 2016 18:46:10 +0800 Message-Id: <1460976397-5688-65-git-send-email-lizf@kernel.org> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1460976338-5631-1-git-send-email-lizf@kernel.org> References: <1460976338-5631-1-git-send-email-lizf@kernel.org> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1071 Lines: 39 From: Richard Weinberger 3.4.112-rc1 review patch. If anyone has any objections, please let me know. ------------------ commit 281fda27673f833a01d516658a64d22a32c8e072 upstream. Make sure that data_size is less than LEB size. Otherwise a handcrafted UBI image is able to trigger an out of bounds memory access in ubi_compare_lebs(). Signed-off-by: Richard Weinberger Reviewed-by: David Gstir [lizf: Backported to 3.4: use dbg_err() instead of ubi_err()]; Signed-off-by: Zefan Li --- drivers/mtd/ubi/io.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/mtd/ubi/io.c b/drivers/mtd/ubi/io.c index 43f1a00..8f793ea 100644 --- a/drivers/mtd/ubi/io.c +++ b/drivers/mtd/ubi/io.c @@ -942,6 +942,11 @@ static int validate_vid_hdr(const struct ubi_device *ubi, goto bad; } + if (data_size > ubi->leb_size) { + dbg_err("bad data_size"); + goto bad; + } + if (vol_type == UBI_VID_STATIC) { /* * Although from high-level point of view static volumes may -- 1.9.1