Cover Letter Detail
Show a cover letter.
GET /api/1.2/covers/2223514/?format=api
{ "id": 2223514, "url": "http://patchwork.ozlabs.org/api/1.2/covers/2223514/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-mtd/cover/20260415124813.246588-1-michael.bommarito@gmail.com/", "project": { "id": 3, "url": "http://patchwork.ozlabs.org/api/1.2/projects/3/?format=api", "name": "Linux MTD development", "link_name": "linux-mtd", "list_id": "linux-mtd.lists.infradead.org", "list_email": "linux-mtd@lists.infradead.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260415124813.246588-1-michael.bommarito@gmail.com>", "list_archive_url": null, "date": "2026-04-15T12:48:11", "name": "[0/2] jffs2: bound summary reads on crafted flash", "submitter": { "id": 93078, "url": "http://patchwork.ozlabs.org/api/1.2/people/93078/?format=api", "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com" }, "mbox": "http://patchwork.ozlabs.org/project/linux-mtd/cover/20260415124813.246588-1-michael.bommarito@gmail.com/mbox/", "series": [ { "id": 499985, "url": "http://patchwork.ozlabs.org/api/1.2/series/499985/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-mtd/list/?series=499985", "date": "2026-04-15T12:48:11", "name": "jffs2: bound summary reads on crafted flash", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/499985/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/covers/2223514/comments/", "headers": { "Return-Path": "\n <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=3IW7qMxt;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=Te6uvSYo;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwgth0tcPz1yHd\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 15 Apr 2026 22:48:44 +1000 (AEST)", "from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wCzfU-0000000194a-0F9V;\n\tWed, 15 Apr 2026 12:48:32 +0000", "from mail-qt1-x82b.google.com ([2607:f8b0:4864:20::82b])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wCzfR-0000000193y-3slt\n\tfor linux-mtd@lists.infradead.org;\n\tWed, 15 Apr 2026 12:48:31 +0000", "by mail-qt1-x82b.google.com with SMTP id\n d75a77b69052e-50b3488fb31so83295381cf.1\n for <linux-mtd@lists.infradead.org>;\n Wed, 15 Apr 2026 05:48:29 -0700 (PDT)", "from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net.\n [68.48.65.54])\n by smtp.gmail.com with ESMTPSA id\n 6a1803df08f44-8ae6ceb891csm10614016d6.48.2026.04.15.05.48.26\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 15 Apr 2026 05:48:26 -0700 (PDT)" ], "DKIM-Signature": [ "v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:Cc\n\t:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:\n\tResent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:\n\tList-Owner; bh=xzKMAb1A0zvvHzsQEY2PpMEOQRKonAVh6e85D8eBna8=; b=3IW7qMxtQKHBTx\n\thhhOy8dBev6T8xboNWH49b+544i2UUlZUM0UQ2cPlU8rtOUjqmzDrfkDs/nWtyFwR2YGj/96w9WjB\n\t469h8Gju5F/vmyx9IDNZWHvrUfsjRiki3xVCyeEghzfoBqNh9jywL9RIHmR+3J0de8liSYYf5mouW\n\t5bIC5fkpdsonIj8JgTBT+0/UEPBPW79pzhj2HG/4mfSKF0oFir9ivzpq1d36gEc+tqapg/bT1PGxD\n\t9fFRudqDygYXAxiQ/oowts6aaehpQ56zZvswdcsP/O+HZsu4mjj3KX38f5u9qW/dTiOwTab8k/JYd\n\t2V+G4rl3neHMmRnDEHlg==;", "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776257308; x=1776862108;\n darn=lists.infradead.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=nfWIOLjASEqsTxbYRvhI/OUYGKeRm/Dc+ijgJBGHXBM=;\n b=Te6uvSYo/QW248X7ImIdz7mmrcVN7nFKJOZnOIOsx27qx37cEmyf4l2H0mJMVcj1vl\n +4bfIDKIKdmQzsfZ0VMbJ4GmsAPcfQB5rSVdUR6jUEZE4N93DeFz9ntmmae3ikNA77Lr\n meHpk7Fn67o0NouHaW1ZtoYUGg+Q5U7pcjTiysNUTpDDqOlmHA9iMtZrROgXI2Ttcsu6\n Wx5DlrUZwphAn+VOXuV1pGkLQBurZh8UBqDiUkqwNw01mosoXHdH6qOVekYAA9T7yxJR\n 1z4FWYJjz1FaKzPFotPLcbMEuTo9e6ayY/epCj6ofIMHd86sZaf+Pgwx4X1aL+CgvVg+\n 5i2g==" ], "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776257308; x=1776862108;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=nfWIOLjASEqsTxbYRvhI/OUYGKeRm/Dc+ijgJBGHXBM=;\n b=A2wpq/3YmgDJ57ptFayA5qObnBu3qR7tkLKAIMs2heuHIjcGka7AW/h43aV5L1kI4f\n MiNpTg5OKSi3smBbbqkVMTb2a+xRWqy01eSBznniqjClCgolJhgjr692HHmHz7aWXqAm\n NM/+Itr1D8q1eQQ+JlhMN3Q+whDDfwKvOC+LB5dLpkbvLud2HVVm0IG+m7of1W0Tlkh9\n EcHdpivAUOXxTSSKXQA3OWBAEp8q24Kyq4Qsxk7/lyA2hGivDzLfklzo84cQwOud50SO\n 3Krmc1V5inOBBt7y/LwauO1rdrTQx9EJ/ihyYrbTiGHMJ9/GPpQM0AEgIOgeLHQB0/pg\n KbTA==", "X-Gm-Message-State": "AOJu0YwfTXwFdSE8s/stUhIE2r0FASyT3mB53lUTYyKmiV9QNpQOhvcn\n\tCQu6ltvFqW5XfdRJ0CAi3V36nH/dWb0LUe1pRqRbOeEdCNTomAaqwWEIyoImjg==", "X-Gm-Gg": "AeBDieu4SCc86Yzm8CHzQK9yuvAKsN/FydcasZKlfqgFaz6bVV2XBXjTYNKyicJu3Uy\n\tJhI1+1rvuS/dUNNBPRJgVZUpXAQzwjFAsc9GmeYJalowAhAmo1WccD9SteLoC3kJwijnjxbajvd\n\t9wiMMXHJ+ZwIsIqiVi1v+LDjh00KozhtKPg1JMBMyiSF2Keb4RhzKVyqfFJ2xDIwrmgUYxg7MeX\n\taXOR8a4yuL1Oui9Xu+G6H+FzclMZzRWA8rFFbtYFq2HjFQUoq4HkZJRjhg0BN3zS56Dn3lRD/Gd\n\t8q3LX+/tPtLpVB5g9PfW/aFymqy5Fu/J0ZNyR2vCpowbMAJy0SS/5dqi/oIsyYa4/igzRQU4tmc\n\tDkCEhw0Qp0sVpnQ/V8H5Eag8qDTKMFjYyzOoAopig8p54U7eTZaLO3dMEb3FWQKr5CGxDRJo/mg\n\teGSeOJjZhgcEwi/AJxHKznD7Mh3A77kRM80gkW6I21U2/rxSGTxuaUAwjTrjLhirx/6dqZYffVG\n\tJMYZhjWtsQgakiHv3FjTDDddHnDVnzB5bm1rt35sPZG2zlYOfHDxw==", "X-Received": "by 2002:a05:6214:43c8:b0:8a1:2c95:5756 with SMTP id\n 6a1803df08f44-8ac7453ee8bmr355390306d6.6.1776257307849;\n Wed, 15 Apr 2026 05:48:27 -0700 (PDT)", "From": "Michael Bommarito <michael.bommarito@gmail.com>", "To": "linux-mtd@lists.infradead.org,\n\tDavid Woodhouse <dwmw2@infradead.org>,\n\tRichard Weinberger <richard@nod.at>", "Cc": "Zhihao Cheng <chengzhihao1@huawei.com>,\n\tArtem Sadovnikov <a.sadovnikov@ispras.ru>,\n\tKees Cook <kees@kernel.org>,\n\tlinux-kernel@vger.kernel.org", "Subject": "[PATCH 0/2] jffs2: bound summary reads on crafted flash", "Date": "Wed, 15 Apr 2026 08:48:11 -0400", "Message-ID": "<20260415124813.246588-1-michael.bommarito@gmail.com>", "X-Mailer": "git-send-email 2.53.0", "MIME-Version": "1.0", "X-CRM114-Version": "20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ", "X-CRM114-CacheID": "sfid-20260415_054829_997936_43368554 ", "X-CRM114-Status": "GOOD ( 13.57 )", "X-Spam-Score": "-2.1 (--)", "X-Spam-Report": "Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: Hi,\n Two mount-time out-of-bounds reads in fs/jffs2/summary.c\n that are reachable when the kernel mounts a crafted JFFS2 flash image.\n Both\n reproduced on v7.0-rc7 under UML with CONFIG_KASAN=y and CONFIG_MTD [...] \n Content analysis details: (-2.1 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no\n trust\n [2607:f8b0:4864:20:0:0:0:82b listed in]\n [list.dnswl.org]\n -0.0 SPF_PASS SPF: sender matches SPF record\n 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record\n -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from\n envelope-from domain\n 0.1 DKIM_SIGNED Message has a DKIM or DK signature,\n not necessarily valid\n -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from\n author's\n domain\n -0.1 DKIM_VALID Message has at least one valid DKIM or DK\n signature\n -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n [score: 0.0000]\n 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail\n provider\n [michael.bommarito(at)gmail.com]", "X-BeenThere": "linux-mtd@lists.infradead.org", "X-Mailman-Version": "2.1.34", "Precedence": "list", "List-Id": "Linux MTD discussion mailing list <linux-mtd.lists.infradead.org>", "List-Unsubscribe": "<http://lists.infradead.org/mailman/options/linux-mtd>,\n <mailto:linux-mtd-request@lists.infradead.org?subject=unsubscribe>", "List-Archive": "<http://lists.infradead.org/pipermail/linux-mtd/>", "List-Post": "<mailto:linux-mtd@lists.infradead.org>", "List-Help": "<mailto:linux-mtd-request@lists.infradead.org?subject=help>", "List-Subscribe": "<http://lists.infradead.org/mailman/listinfo/linux-mtd>,\n <mailto:linux-mtd-request@lists.infradead.org?subject=subscribe>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Sender": "\"linux-mtd\" <linux-mtd-bounces@lists.infradead.org>", "Errors-To": "linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org" }, "content": "Hi,\n\nTwo mount-time out-of-bounds reads in fs/jffs2/summary.c that are\nreachable when the kernel mounts a crafted JFFS2 flash image. Both\nreproduced on v7.0-rc7 under UML with CONFIG_KASAN=y and\nCONFIG_MTD_BLOCK2MTD=y; pre-fix each oopses in\njffs2_sum_scan_sumnode, post-fix the same images are rejected with a\nwarning and the scanner falls back to the full scan path.\n\n1/2 -- jffs2_sum_scan_sumnode() computes\n\n crc = crc32(0, summary->sum,\n sumsize - sizeof(struct jffs2_raw_summary));\n\n If a crafted on-flash jffs2_sum_marker.offset drives sumsize\n below sizeof(struct jffs2_raw_summary) (= 32), the subtraction\n underflows in size_t and crc32() walks ~16 EiB. The earlier\n header reads of summary->totlen / ->hdr_crc / ->node_crc are\n OOB for the same class of sumsize values. Bound sumsize at\n JFFS2_SUMMARY_FRAME_SIZE (header + marker = 40) which is the\n minimum frame the writer at jffs2_sum_write_sumnode() emits.\n\n KASAN evidence:\n\n BUG: KASAN: slab-out-of-bounds in\n jffs2_sum_scan_sumnode+0x131/0x1611\n Read of size 4 at addr 00000000621fb004 by task mount/31\n Located 4 bytes to the right of 4096-byte region\n\n2/2 -- jffs2_sum_process_sum_data() iterates summary->sum_num times\n with no bounds check on the remaining payload. Crafted\n sum_num > (actual entries) walks sp off the summary buffer;\n nodetype is then read from adjacent slab memory, and if those\n bytes decode as one of the known case labels the handler\n calls sum_link_node_ref() with offset/totlen pulled from the\n OOB bytes. Pass sumsize into the helper and bound sp before\n every nodetype read and every type-specific field access.\n\n KASAN evidence (patch 1 applied so the bug is reached):\n\n BUG: KASAN: slab-out-of-bounds in\n jffs2_sum_scan_sumnode+0x6bd/0x16bf\n Read of size 2 at addr 00000000621fb000 by task mount/31\n Located 0 bytes to the right of 4096-byte region\n\n A matching sum_num=1 image (same bytes, honest sum_num) does\n not splat.\n\nImpact:\n\n Mount-time only, CAP_SYS_ADMIN required to attach the MTD and\n call mount(2). Not reachable from unprivileged users, user\n namespaces, FUSE, or network. Relevant practically on embedded\n devices that auto-mount JFFS2 on boot when the flash is writable\n out-of-band.\n\n 1/2 is an OOB read / DoS on mount.\n\n 2/2 is not just an OOB read: the type-specific handlers run past\n the buffer boundary before sp is bounded, so corrupted in-memory\n jeb state can persist past the faulting iteration rather than\n cleanly oopsing. Closing the bound prevents that sequence. No\n controlled kernel write, no RCE primitive in evidence.\n\nReproduction artefacts (craft scripts, UML init, pre/post KASAN\nlogs) are on the reporter side on request.\n\nThanks,\nMike\n\nMichael Bommarito (2):\n jffs2: reject truncated summary node before header validation\n jffs2: bound summary entry walks against the payload\n\n fs/jffs2/summary.c | 44 +++++++++++++++++++++++++++++++++++++++++---\n 1 file changed, 41 insertions(+), 3 deletions(-)" }