This pull request contains changes (actually just fixes) for UBIFS

JFFS2: - Fix for use-after-free in jffs2_sum_write_data() - Fix for out-of-bounds access in jffs2_zlib_compress() UBI: - Remove dead/useless code UBIFS: - Fix for a memory leak in ubifs_init_authentication() - Fix for high stack usage - Fix for a off-by-one error in xattrs code -----BEGIN PGP SIGNATURE----- iQJKBAABCAA0FiEEdgfidid8lnn52cLTZvlZhesYu8EFAmAyuh8WHHJpY2hhcmRA c2lnbWEtc3Rhci5hdAAKCRBm+VmF6xi7wT+bD/9Q2Ar9yMX9drPyAnyb3vudE8c8 l0RdNLyBSL87pskpszNZR2+o8Yi3vjlbGWq5i97JsP/7UOb4Gc/MfXPYJteP1xUN S46EZwgcZa4XCgMSSdMk/NZl7bVdbwjvcGjw1CA4RdPkwt8s2jwYdS+hPrHu6o87 3xkP7kWShs/2KhUyvodZgAu6SYcTW+OjiKwdAIKxa1Ak9YUMGzsSHqCbl19he5MG hMxFZIqRZ2zZUfFeYXffVApJI8eBEKVud2qtNA/A6eGsy5Wx3c4F/bxG/uWdoJPp n5CmFRc6UGh8teA43aag5BnLv8sR9bC1Kf3lQX4nwfpBSzE7LwIMN7SVpL0JH5vT dJdwn37JYL/RQjmjTk++O/sSgeg9jJWMG+VOSmuKWPgP6xAYEVXqWg9njuV3wl9W NFBoybP82IyVHcthOcTrY8dx0F7A4q+3PkMy+7cikO2fYKVvJjdKgTp4pcVnGCR3 IadXzNRdYrLPvYwf25D2AyETwQQxcmh/Ox7ZOhkUXuFQ/KnhU0yqbO3cTTB1A/mO jY2SPtXXeUZwgGpGc8Lyr8/KGZ6tJX/3jswwmg+XvdegBLRogqty8XOcwUuJszCh 1kDAKs2LJ6UaMYyhV6Jxr4c+wgHoKJG+voY+oTkrUP4Lt0hQVELCylEkX2uJo60Y x4Gic/YbRUwnfjlAcg== =xorv -----END PGP SIGNATURE----- Merge tag 'for-linus-5.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs Pull JFFS2/UBIFS and UBI updates from Richard Weinberger: "JFFS2: - Fix for use-after-free in jffs2_sum_write_data() - Fix for out-of-bounds access in jffs2_zlib_compress() UBI: - Remove dead/useless code UBIFS: - Fix for a memory leak in ubifs_init_authentication() - Fix for high stack usage - Fix for a off-by-one error in xattrs code" * tag 'for-linus-5.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs: ubifs: Fix error return code in alloc_wbufs() jffs2: check the validity of dstlen in jffs2_zlib_compress() ubifs: Fix off-by-one error ubifs: replay: Fix high stack usage, again ubifs: Fix memleak in ubifs_init_authentication jffs2: fix use after free in jffs2_sum_write_data() ubi: eba: Delete useless kfree code ubi: remove dead code in validate_vid_hdr()
2021-02-21 13:57:08 -08:00 · 2021-02-21 13:57:08 -08:00 · 66f73fb3fa
parent 69e9b12a27 42119dbe57
commit 66f73fb3fa
9 changed files with 16 additions and 12 deletions
--- a/drivers/mtd/ubi/eba.c
+++ b/drivers/mtd/ubi/eba.c
@ -142,7 +142,6 @@ struct ubi_eba_table *ubi_eba_create_table(struct ubi_volume *vol,
 	return tbl;

 err:
-	kfree(tbl->entries);
 	kfree(tbl);

 	return ERR_PTR(err);
--- a/drivers/mtd/ubi/io.c
+++ b/drivers/mtd/ubi/io.c
@ -913,12 +913,7 @@ static int validate_vid_hdr(const struct ubi_device *ubi,
 				ubi_err(ubi, "bad data_size");
 				goto bad;
 			}
-		} else if (lnum == used_ebs - 1) {
-			if (data_size == 0) {
-				ubi_err(ubi, "bad data_size at last LEB");
-				goto bad;
-			}
-		} else {
+		} else if (lnum > used_ebs - 1) {
 			ubi_err(ubi, "too high lnum");
 			goto bad;
 		}
--- a/fs/jffs2/compr_rtime.c
+++ b/fs/jffs2/compr_rtime.c
@ -37,6 +37,9 @@ static int jffs2_rtime_compress(unsigned char *data_in,
 	int outpos = 0;
 	int pos=0;

+	if (*dstlen <= 3)
+		return -1;
+
 	memset(positions,0,sizeof(positions));

 	while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
--- a/fs/jffs2/summary.c
+++ b/fs/jffs2/summary.c
@ -783,6 +783,8 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock
 					dbg_summary("Writing unknown RWCOMPAT_COPY node type %x\n",
 						    je16_to_cpu(temp->u.nodetype));
 					jffs2_sum_disable_collecting(c->summary);
+					/* The above call removes the list, nothing more to do */
+					goto bail_rwcompat;
 				} else {
 					BUG();	/* unknown node in summary information */
 				}
@ -794,6 +796,7 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock

 		c->summary->sum_num--;
 	}
+ bail_rwcompat:

 	jffs2_sum_reset_collected(c->summary);

--- a/fs/ubifs/auth.c
+++ b/fs/ubifs/auth.c
@ -327,7 +327,7 @@ int ubifs_init_authentication(struct ubifs_info *c)
 		ubifs_err(c, "hmac %s is bigger than maximum allowed hmac size (%d > %d)",
 			  hmac_name, c->hmac_desc_len, UBIFS_HMAC_ARR_SZ);
 		err = -EINVAL;
-		goto out_free_hash;
+		goto out_free_hmac;
 	}

 	err = crypto_shash_setkey(c->hmac_tfm, ukp->data, ukp->datalen);
--- a/fs/ubifs/journal.c
+++ b/fs/ubifs/journal.c
@ -881,7 +881,7 @@ int ubifs_jnl_write_inode(struct ubifs_info *c, const struct inode *inode)
 		struct inode *xino;
 		struct ubifs_dent_node *xent, *pxent = NULL;

-		if (ui->xattr_cnt >= ubifs_xattr_max_cnt(c)) {
+		if (ui->xattr_cnt > ubifs_xattr_max_cnt(c)) {
 			ubifs_err(c, "Cannot delete inode, it has too much xattrs!");
 			goto out_release;
 		}
--- a/fs/ubifs/replay.c
+++ b/fs/ubifs/replay.c
@ -559,7 +559,9 @@ static int is_last_bud(struct ubifs_info *c, struct ubifs_bud *bud)
 }

 /* authenticate_sleb_hash is split out for stack usage */
-static int authenticate_sleb_hash(struct ubifs_info *c, struct shash_desc *log_hash, u8 *hash)
+static int noinline_for_stack
+authenticate_sleb_hash(struct ubifs_info *c,
+		       struct shash_desc *log_hash, u8 *hash)
 {
 	SHASH_DESC_ON_STACK(hash_desc, c->hash_tfm);

--- a/fs/ubifs/super.c
+++ b/fs/ubifs/super.c
@ -838,8 +838,10 @@ static int alloc_wbufs(struct ubifs_info *c)
 		c->jheads[i].wbuf.jhead = i;
 		c->jheads[i].grouped = 1;
 		c->jheads[i].log_hash = ubifs_hash_get_desc(c);
-		if (IS_ERR(c->jheads[i].log_hash))
+		if (IS_ERR(c->jheads[i].log_hash)) {
+			err = PTR_ERR(c->jheads[i].log_hash);
 			goto out;
+		}
 	}

 	/*
--- a/fs/ubifs/xattr.c
+++ b/fs/ubifs/xattr.c
@ -498,7 +498,7 @@ int ubifs_purge_xattrs(struct inode *host)
 	struct fscrypt_name nm = {0};
 	int err;

-	if (ubifs_inode(host)->xattr_cnt < ubifs_xattr_max_cnt(c))
+	if (ubifs_inode(host)->xattr_cnt <= ubifs_xattr_max_cnt(c))
 		return 0;

 	ubifs_warn(c, "inode %lu has too many xattrs, doing a non-atomic deletion",