Sasha,
Am Freitag, 5. Oktober 2018, 18:17:50 CEST schrieb Sasha Levin:
From: Richard Weinberger richard@nod.at
[ Upstream commit 37f31b6ca4311b94d985fb398a72e5399ad57925 ]
The requested device name can be NULL or an empty string. Check for that and refuse to continue. UBIFS has to do this manually since we cannot use mount_bdev(), which checks for this condition.
Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system") Reported-by: syzbot+38bd0f7865e5c6379280@syzkaller.appspotmail.com Signed-off-by: Richard Weinberger richard@nod.at Signed-off-by: Sasha Levin alexander.levin@microsoft.com
I'm not sure whether it makes sense to apply this patch to stable. 1. You need to be the real root to hit this code path. 2. Access is read-only, for an attacker it is useless.
If we look at the code: if (name[0] != 'u' || name[1] != 'b' || name[2] != 'i') return ERR_PTR(-EINVAL);
/* ubi:NAME method */ if ((name[3] == ':' || name[3] == '!') && name[4] != '\0')
name can be NULL, so we access just a few bytes.
Thanks, //richard