Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp2239649ybt; Tue, 16 Jun 2020 00:15:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwSTzbN43sBLJ0mAPi8vin0CNUjS4w+Eh9Ma3VfUBTwwury9yMsrIv3UVZmpQ8QrIHp5OiX X-Received: by 2002:a17:906:39a:: with SMTP id b26mr1559341eja.204.1592291719996; Tue, 16 Jun 2020 00:15:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592291719; cv=none; d=google.com; s=arc-20160816; b=esBUS+NuhYtdpUNiMpNbsU0qw7iPP1kWo4bPP/ib0DsdFH+e9lx3n0MbMVqIJwRnZu c4SEETeZmHOojcE5HvVpIw7OE5e52/FPwGQikgabc0li5yht/qN32xmA6NwrPA4G0LgS ZWv+N7p3IimunRVR1Enf5NMy1QYXyosU7CqTP1Y8c+IDBkZpIVZogv/BTFUmZcQEgDlF Xi5fndfldfmTa6t90fg7wH/PHO7VvBd4JK1wr7ucUblBOjK0RIfjlyJrjGiQ9WaeR8RG 99+vdAgBSpDQfwt88F5gvvZJWuZB0bKvZIgFtkdgFHwYpRloVQ2wMyeroMsbszs3z9k4 12bg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=QgNfPixCWQi79aDyhWbJvrcPpUuap1YfnU+8YVLzkS4=; b=rhmj/jZT3cUrHnD7HTo4y0V7B5UaTQo8QQGEeZTAST0497lhs/TgHlXYxraMRf38k8 iU6ureoDSM50Q5xlEghmqaD/6/PJbF8Bz/FCTAzyMmcvAj+7WXk8LdJBeanXV5wB3Cy+ TMCMAwCnL3gYkCAHDT3xV+P1e/aMnJ64T+55ezQrsP+x3V6Ovb2wiifzD4moH/9fr+Qs 203ihNjtScSyLn3+JalwvTOM8Pw/zqHhe4qjbI4ACW5v/kPnpXkllOYcCk+DBao2pTnQ GR0VGJrRj3gfVlfZtphI+7xmZpAcqP47ICw6YKsfbuKNyMjdxfrM98c3aT11B1K/gM2f P71w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y5si9659243edw.121.2020.06.16.00.14.57; Tue, 16 Jun 2020 00:15:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727115AbgFPHKr (ORCPT + 99 others); Tue, 16 Jun 2020 03:10:47 -0400 Received: from szxga06-in.huawei.com ([45.249.212.32]:33298 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726753AbgFPHKp (ORCPT ); Tue, 16 Jun 2020 03:10:45 -0400 Received: from DGGEMS412-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id BF4DC7B672CDA1EA1E02; Tue, 16 Jun 2020 15:10:43 +0800 (CST) Received: from huawei.com (10.175.127.227) by DGGEMS412-HUB.china.huawei.com (10.3.19.212) with Microsoft SMTP Server id 14.3.487.0; Tue, 16 Jun 2020 15:10:32 +0800 From: Zhihao Cheng To: , CC: , , Subject: [PATCH RFC 2/5] Revert "ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len" Date: Tue, 16 Jun 2020 15:11:43 +0800 Message-ID: <20200616071146.2607061-3-chengzhihao1@huawei.com> X-Mailer: git-send-email 2.25.4 In-Reply-To: <20200616071146.2607061-1-chengzhihao1@huawei.com> References: <20200616071146.2607061-1-chengzhihao1@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.175.127.227] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This reverts commit acc5af3efa303d5f36cc8c0f61716161f6ca1384. No need to avoid memory oob in dumping for data node alone. Later, node length will be passed into function 'ubifs_dump_node()' which replaces all node dumping places. Signed-off-by: Zhihao Cheng --- fs/ubifs/io.c | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c index 7e4bfaf2871f..8ceb51478800 100644 --- a/fs/ubifs/io.c +++ b/fs/ubifs/io.c @@ -225,7 +225,7 @@ int ubifs_is_mapped(const struct ubifs_info *c, int lnum) int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum, int offs, int quiet, int must_chk_crc) { - int err = -EINVAL, type, node_len, dump_node = 1; + int err = -EINVAL, type, node_len; uint32_t crc, node_crc, magic; const struct ubifs_ch *ch = buf; @@ -278,22 +278,10 @@ int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum, out_len: if (!quiet) ubifs_err(c, "bad node length %d", node_len); - if (type == UBIFS_DATA_NODE && node_len > UBIFS_DATA_NODE_SZ) - dump_node = 0; out: if (!quiet) { ubifs_err(c, "bad node at LEB %d:%d", lnum, offs); - if (dump_node) { - ubifs_dump_node(c, buf); - } else { - int safe_len = min3(node_len, c->leb_size - offs, - (int)UBIFS_MAX_DATA_NODE_SZ); - pr_err("\tprevent out-of-bounds memory access\n"); - pr_err("\ttruncated data node length %d\n", safe_len); - pr_err("\tcorrupted data node:\n"); - print_hex_dump(KERN_ERR, "\t", DUMP_PREFIX_OFFSET, 32, 1, - buf, safe_len, 0); - } + ubifs_dump_node(c, buf); dump_stack(); } return err; -- 2.25.4