Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-5.4 / 7c80c352331a27cf0584f1701ed3a003984985f0
commit7c80c352331a27cf0584f1701ed3a003984985f0[log] [tgz]
authorXi Wang <xi.wang@gmail.com>Wed Apr 25 14:45:22 2012 -0400
committerDavid Woodhouse <David.Woodhouse@intel.com>Sun May 13 23:05:15 2012 -0500
tree3c90b8d5a23cf563fb40a9866bc8dcf11af4b2fc
parent8abc0d4a1181b44e0a42cadab4a15f8c6aa42451 [diff]
jffs2: validate symlink size in jffs2_do_read_inode_internal()

`csize' is read from disk and thus needs validation.  Otherwise a bogus
value 0xffffffff would turn the subsequent kmalloc(csize + 1, ...) into
kmalloc(0, ...), leading to out-of-bounds write.

This patch limits `csize' to JFFS2_MAX_NAME_LEN, which is also used
in jffs2_symlink().

Artem: we actually validate csize by checking CRC, so this 0xFFs cannot
come from empty flash region. But I guess an attacker could feed JFFS2
an image with random csize value, including 0xFFs.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
1 file changed
tree: 3c90b8d5a23cf563fb40a9866bc8dcf11af4b2fc
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS