On Sun, Jul 1, 2018 at 6:22 PM, Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
4.17-stable review patch. If anyone has any objections, please let me know.
From: Silvio Cesare silvio.cesare@gmail.com
commit 353748a359f1821ee934afc579cf04572406b420 upstream.
There is potential for the size and len fields in ubifs_data_node to be too large causing either a negative value for the length fields or an integer overflow leading to an incorrect memory allocation. Likewise, when the len field is small, an integer underflow may occur.
Signed-off-by: Silvio Cesare silvio.cesare@gmail.com Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook keescook@chromium.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Guys, this patch was never on linux-mtd nor was I CC'ed. I don't see it so super security critical which argues to bypass the whole community review process.
Anyway, I don't like this patch for two reasons. 1. Instead of doing the kmalloc_array() dance, just check whether size is 0 > and <= UBIFS_BLOCK_SIZE, in the caller. 2. It will not apply to most stable kernels since it targets the code path with UBIFS encryption available.