----- Ursprüngliche Mail -----
Von: "Joakim Tjernlund" Joakim.Tjernlund@infinera.com An: "menglong8 dong" menglong8.dong@gmail.com, "David Woodhouse" dwmw2@infradead.org CC: "yang yang29" yang.yang29@zte.com.cn, "stable" stable@vger.kernel.org, "linux-kernel" linux-kernel@vger.kernel.org, "richard" richard@nod.at, "linux-mtd" linux-mtd@lists.infradead.org Gesendet: Donnerstag, 28. Januar 2021 12:17:34 Betreff: Re: [PATCH] jffs2: check the validity of dstlen in jffs2_zlib_compress()
On Thu, 2021-01-28 at 02:55 -0800, menglong8.dong@gmail.com wrote:
From: Yang Yang yang.yang29@zte.com.cn
KASAN reports a BUG when download file in jffs2 filesystem.It is because when dstlen == 1, cpage_out will write array out of bounds. Actually, data will not be compressed in jffs2_zlib_compress() if data's length less than 4.
Ouch, data corruption will ensue. Good find! I think this needs to go to stable as well.
Indeed! Do you know whether this is a regression? Seems to be like that since ever.
Thanks, //richard