ubifs: Check data node size before truncate
commitpull/10/head95a22d2084
upstream. Check whether the size is within bounds before using it. If the size is not correct, abort and dump the bad data node. Cc: Kees Cook <keescook@chromium.org> Cc: Silvio Cesare <silvio.cesare@gmail.com> Cc: stable@vger.kernel.org Fixes:1e51764a3c
("UBIFS: add new flash file system") Reported-by: Silvio Cesare <silvio.cesare@gmail.com> Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
parent
3259dd7176
commit
f6d7acc1d9
|
@ -1388,7 +1388,16 @@ int ubifs_jnl_truncate(struct ubifs_info *c, const struct inode *inode,
|
|||
else if (err)
|
||||
goto out_free;
|
||||
else {
|
||||
if (le32_to_cpu(dn->size) <= dlen)
|
||||
int dn_len = le32_to_cpu(dn->size);
|
||||
|
||||
if (dn_len <= 0 || dn_len > UBIFS_BLOCK_SIZE) {
|
||||
ubifs_err(c, "bad data node (block %u, inode %lu)",
|
||||
blk, inode->i_ino);
|
||||
ubifs_dump_node(c, dn);
|
||||
goto out_free;
|
||||
}
|
||||
|
||||
if (dn_len <= dlen)
|
||||
dlen = 0; /* Nothing to do */
|
||||
else {
|
||||
err = truncate_data_node(c, inode, blk, dn, &dlen);
|
||||
|
|
Loading…
Reference in New Issue