On Mon, Jul 02, 2018 at 08:32:55AM +0200, Greg Kroah-Hartman wrote:
On Sun, Jul 01, 2018 at 08:48:07PM +0200, Richard Weinberger wrote:
On Sun, Jul 1, 2018 at 6:22 PM, Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
4.17-stable review patch. If anyone has any objections, please let me know.
From: Silvio Cesare silvio.cesare@gmail.com
commit 353748a359f1821ee934afc579cf04572406b420 upstream.
There is potential for the size and len fields in ubifs_data_node to be too large causing either a negative value for the length fields or an integer overflow leading to an incorrect memory allocation. Likewise, when the len field is small, an integer underflow may occur.
Signed-off-by: Silvio Cesare silvio.cesare@gmail.com Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook keescook@chromium.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Guys, this patch was never on linux-mtd nor was I CC'ed. I don't see it so super security critical which argues to bypass the whole community review process.
Anyway, I don't like this patch for two reasons.
- Instead of doing the kmalloc_array() dance, just check whether size
is 0 > and <= UBIFS_BLOCK_SIZE, in the caller. 2. It will not apply to most stable kernels since it targets the code path with UBIFS encryption available.
Can you get a fix into Linus's tree that I can also queue up for a stable release?
Ah nevermind, I see your revert/add patch now, sorry for the noise.
greg k-h