Commit f6d7acc1 authored by Richard Weinberger's avatar Richard Weinberger Committed by Greg Kroah-Hartman

ubifs: Check data node size before truncate

commit 95a22d20 upstream.

Check whether the size is within bounds before using it.
If the size is not correct, abort and dump the bad data node.

Cc: Kees Cook <keescook@chromium.org>
Cc: Silvio Cesare <silvio.cesare@gmail.com>
Cc: stable@vger.kernel.org
Fixes: 1e51764a ("UBIFS: add new flash file system")
Reported-by: default avatarSilvio Cesare <silvio.cesare@gmail.com>
Signed-off-by: Richard Weinberger's avatarRichard Weinberger <richard@nod.at>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: Richard Weinberger's avatarRichard Weinberger <richard@nod.at>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 3259dd71
......@@ -1388,7 +1388,16 @@ int ubifs_jnl_truncate(struct ubifs_info *c, const struct inode *inode,
else if (err)
goto out_free;
else {
if (le32_to_cpu(dn->size) <= dlen)
int dn_len = le32_to_cpu(dn->size);
if (dn_len <= 0 || dn_len > UBIFS_BLOCK_SIZE) {
ubifs_err(c, "bad data node (block %u, inode %lu)",
blk, inode->i_ino);
ubifs_dump_node(c, dn);
goto out_free;
}
if (dn_len <= dlen)
dlen = 0; /* Nothing to do */
else {
err = truncate_data_node(c, inode, blk, dn, &dlen);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment