Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3429870pxb; Mon, 16 Nov 2020 14:39:34 -0800 (PST) X-Google-Smtp-Source: ABdhPJyhcRIaO2hS3oYcyNL4zqGGN1S5daYCNvnj/1BZmzmbuHiWzYXipaMTouAnvEQgyDuJWFBs X-Received: by 2002:a17:907:2089:: with SMTP id pv9mr16915002ejb.34.1605566374183; Mon, 16 Nov 2020 14:39:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605566374; cv=none; d=google.com; s=arc-20160816; b=Y9sJxO8NfrrTBuTyYpedBJkKhCRuIkqsoQBKFD0sBKtcjexBKXrKHjI3ep92jI3InC UpvzkYbQQDRpuRCbKfxS0dKcc8BVGi3I6d15cieyn3MTukYCqR1TIVQ0BiZaJwCAtWJg MoH5n7f1ooDdP07O3QtdTlb/rcMQ/imqG3H6z1GVrcQhCcO6eo8p5MniwJzvrBE4/xV4 +37C0Nvyuu5nDQ6KOg00XMV6VaSMMiPMs1DvAEr/KnEZqIyiXwvhSUBP63Bo/Pob6gs9 T3cF4SIh+aSLgctjzcWvVch3ywpfDn+FSZ6h2k/1zNvRnftfyfM7UoEuktGKaufdwrj+ hD9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=5FOWX2BtdDNBWfHXg4UimUlL2yYxt2v6OvRF3+yNdJ8=; b=P5+TKoSiG4JRDdstthW8TWKwbmwOpjHVtzbCIM98zzhdVSVqttkOFNOH4dBk8dMxfV pKWydIweCxWONxzt8xIy0W2q/pKR/J4LirHHQMiZMh9J5pU1CQSXweVt+5ho63gsLF+S 1R7zq1/a4G4BwArIw8jQsDH+nR5AqHDf8UXVkqXDPhEdpact9MYz0fjp3ojVuRBg0zYj +rbdiu5oibrcAMZy6luVFjRm7JJ2xiZYGV1xtdsI6DfvHzbRkp4QEk2EQVDWVAuIbhaP psohGesFt9m2dQjh42MfyD4yaDeiRIb4GhKdDHsQMozf8bXc2pC5GLeYNl2pxK0vNBzr HmXg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a7si13343718eda.335.2020.11.16.14.39.11; Mon, 16 Nov 2020 14:39:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731663AbgKPVFv (ORCPT + 99 others); Mon, 16 Nov 2020 16:05:51 -0500 Received: from lilium.sigma-star.at ([109.75.188.150]:54304 "EHLO lilium.sigma-star.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726219AbgKPVFu (ORCPT ); Mon, 16 Nov 2020 16:05:50 -0500 Received: from localhost (localhost [127.0.0.1]) by lilium.sigma-star.at (Postfix) with ESMTP id 3BEF61816C728; Mon, 16 Nov 2020 22:05:47 +0100 (CET) Received: from lilium.sigma-star.at ([127.0.0.1]) by localhost (lilium.sigma-star.at [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id pj4MsuSeTHU4; Mon, 16 Nov 2020 22:05:46 +0100 (CET) Received: from lilium.sigma-star.at ([127.0.0.1]) by localhost (lilium.sigma-star.at [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id MinQ-477CHIm; Mon, 16 Nov 2020 22:05:46 +0100 (CET) From: Richard Weinberger To: linux-mtd@lists.infradead.org Cc: linux-kernel@vger.kernel.org, Richard Weinberger , stable@vger.kernel.org Subject: [PATCH] ubifs: wbuf: Don't leak kernel memory to flash Date: Mon, 16 Nov 2020 22:05:30 +0100 Message-Id: <20201116210530.26230-1-richard@nod.at> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Write buffers use a kmalloc()'ed buffer, they can leak up to seven bytes of kernel memory to flash if writes are not aligned. So use ubifs_pad() to fill these gaps with padding bytes. This was never a problem while scanning because the scanner logic manually aligns node lengths and skips over these gaps. Cc: Fixes: 1e51764a3c2ac05a2 ("UBIFS: add new flash file system") Signed-off-by: Richard Weinberger --- fs/ubifs/io.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c index 7e4bfaf2871f..eae9cf5a57b0 100644 --- a/fs/ubifs/io.c +++ b/fs/ubifs/io.c @@ -319,7 +319,7 @@ void ubifs_pad(const struct ubifs_info *c, void *buf,= int pad) { uint32_t crc; =20 - ubifs_assert(c, pad >=3D 0 && !(pad & 7)); + ubifs_assert(c, pad >=3D 0); =20 if (pad >=3D UBIFS_PAD_NODE_SZ) { struct ubifs_ch *ch =3D buf; @@ -764,6 +764,10 @@ int ubifs_wbuf_write_nolock(struct ubifs_wbuf *wbuf,= void *buf, int len) * write-buffer. */ memcpy(wbuf->buf + wbuf->used, buf, len); + if (aligned_len > len) { + ubifs_assert(c, aligned_len - len < 8); + ubifs_pad(c, wbuf->buf + wbuf->used + len, aligned_len - len); + } =20 if (aligned_len =3D=3D wbuf->avail) { dbg_io("flush jhead %s wbuf to LEB %d:%d", @@ -856,13 +860,18 @@ int ubifs_wbuf_write_nolock(struct ubifs_wbuf *wbuf= , void *buf, int len) } =20 spin_lock(&wbuf->lock); - if (aligned_len) + if (aligned_len) { /* * And now we have what's left and what does not take whole * max. write unit, so write it to the write-buffer and we are * done. */ memcpy(wbuf->buf, buf + written, len); + if (aligned_len > len) { + ubifs_assert(c, aligned_len - len < 8); + ubifs_pad(c, wbuf->buf + len, aligned_len - len); + } + } =20 if (c->leb_size - wbuf->offs >=3D c->max_write_size) wbuf->size =3D c->max_write_size; --=20 2.26.2