Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.2/patches/2223513/?format=api
{ "id": 2223513, "url": "http://patchwork.ozlabs.org/api/1.2/patches/2223513/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-mtd/patch/20260415124813.246588-2-michael.bommarito@gmail.com/", "project": { "id": 3, "url": "http://patchwork.ozlabs.org/api/1.2/projects/3/?format=api", "name": "Linux MTD development", "link_name": "linux-mtd", "list_id": "linux-mtd.lists.infradead.org", "list_email": "linux-mtd@lists.infradead.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260415124813.246588-2-michael.bommarito@gmail.com>", "list_archive_url": null, "date": "2026-04-15T12:48:12", "name": "[1/2] jffs2: reject truncated summary node before header validation", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "53842bcf095f490c30024abcb0aa714f0cff9e8d", "submitter": { "id": 93078, "url": "http://patchwork.ozlabs.org/api/1.2/people/93078/?format=api", "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linux-mtd/patch/20260415124813.246588-2-michael.bommarito@gmail.com/mbox/", "series": [ { "id": 499985, "url": "http://patchwork.ozlabs.org/api/1.2/series/499985/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-mtd/list/?series=499985", "date": "2026-04-15T12:48:11", "name": "jffs2: bound summary reads on crafted flash", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/499985/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2223513/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2223513/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=EROBBC8A;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=ZD+qQtpa;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwgth05V5z1yDF\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 15 Apr 2026 22:48:44 +1000 (AEST)", "from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wCzfU-0000000194z-1Y7Z;\n\tWed, 15 Apr 2026 12:48:32 +0000", "from mail-qv1-xf2b.google.com ([2607:f8b0:4864:20::f2b])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wCzfS-0000000194A-3LTN\n\tfor linux-mtd@lists.infradead.org;\n\tWed, 15 Apr 2026 12:48:31 +0000", "by mail-qv1-xf2b.google.com with SMTP id\n 6a1803df08f44-8acb856a674so27908186d6.0\n for <linux-mtd@lists.infradead.org>;\n Wed, 15 Apr 2026 05:48:30 -0700 (PDT)", "from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net.\n [68.48.65.54])\n by smtp.gmail.com with ESMTPSA id\n 6a1803df08f44-8ae6ceb891csm10614016d6.48.2026.04.15.05.48.27\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 15 Apr 2026 05:48:28 -0700 (PDT)" ], "DKIM-Signature": [ "v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:\n\tMessage-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=4ORJ73we3KdAYI7TDZVrSypYloB9rh8iZd6MjFJ+jJQ=; b=EROBBC8AfFYEj6\n\twgNcGqly6lgCD8sLYzBAtjMFIVftqzi4KDMWX40p+BgmiU75GINiNMVPCh0cDq7fs+oae+MI590b5\n\tw6vGPegvuatsSeWfy9I5PN4uJ06rsbMNXBV/afyqET/Xa74baSLkdL/k2STYdBOd8INcN6+6/ZOuN\n\tzzhGSWZakR2VDh/rh/k/NMfUevBo+kmlpUo+8wmBhEdMzrrgpY3skqkCL2Ntf2oGjFNaLPx4TxZdA\n\thi3kj3MTX8r4vJQBshaXJE8yul5pyXNkyflRhdGDWWeaiWeEhevzVqRNnY+UeTm9E/EghF0TbDenj\n\tt1BXbK9VWMjJh94MZtpQ==;", "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776257309; x=1776862109;\n darn=lists.infradead.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=9LmrK3+P1rULpl1i+7wOpfSUhGy0lxg+p+4MR2uQ/+M=;\n b=ZD+qQtpaKCL4TpKV57Qj7/RyOC1jR0v0eCYGqultx6qUCgUNe/d1Ga4pW47UCrrFSf\n f4R7dcBGWVqfFR5zN5H2/k885NKAlq8NgESgc2DO6egoYQHe+DiRXWXXPvqyvV9SetM9\n 7DUiT+OjI/1yVH6EtjQhz3qjKzSc/oMU/FGhZfTXdk0Yz7hYNzDPawDEbT0ghK62/tKj\n ini6mMO8SijvFLV7fdMiHlb4ZewBrDrKEmFZ4i+Do18vv0sDQknTgRZJRYQMPZDxabfA\n Rp4534bqq/M4ebEUbQLZ1PJm1dP2vpaVbegh9DQ73+zo6mNzpy4Fa+pxm2ySUKlEXjHE\n SLQg==" ], "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776257309; x=1776862109;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=9LmrK3+P1rULpl1i+7wOpfSUhGy0lxg+p+4MR2uQ/+M=;\n b=mp5dAwSzLpSpCrbO0yToEkI+OvrKM+LLJ0M6e4vzUdJfbwrYb/o90jMqJIFRXj10rp\n Md2OmcfNoA23AcNlfOKrUeUJaB6qn4EfMeYc+QJiiamrvNImwxoWJp6yzVI0hc7zBiTz\n P8evreEr7gj2tiMHhKTGnISts60h3UbOlOp0q1Zae7NdFZF6B5zeOrA3RfYxNEKRfPxs\n GDBmsvX7l3NRLdisUtcY/L1yGmK9dLRJyzYXSQ9Dk88+bnbSRw9sv/ygXka5Ww3fAa4M\n cYNNBD344rg65O3IlrqRn0c+dC6fWFQsCsLVuNyjsYKshAJbgtgTjYDSRRFPpa00kGNl\n wqYQ==", "X-Gm-Message-State": "AOJu0Ywt6NImZfzaRkq4oPOOBzxVb1VOONS9lWVGsqtJEkrcBOp27dEW\n\tg0TufBuCSvQTYNa4hRuAZfbybJ5Zy49dtum+GfEoqlk3O7oP5BSPSfyyLHZtbg==", "X-Gm-Gg": "AeBDietxGM6OD/5CoSUIm14eyxNc2b6XU+U/EiyBTZhBUI0/VQJq8et68kCiZT/Ee5k\n\tKHl9Om1RUGoD7XOZrOoS4IVHNm+D7Cs0MSMqOF0rUWl9P6RRo0QSC/YeKCYIZC9K1SJpmt6vlGJ\n\tIhwk80FFfjj/jOvXllG+e2n6ZNYGes1lFidtQZ+rG6TSJdcxWjYPrFaM3qV168Vzd9LWCBa+dmU\n\tGuN4UtgVFOok5Ai2CcXNzpmD+ZRpcEXPYiJkDD8xSPntIE3Ahh0/D0yOEvni1k6rFQB1aeGB/Pu\n\tz5rC7Jf51F8dLq/kUYL55CbGFqObOGzXeDaOw2/CwPWRWsr0myABJIiBVMNzNNyG6S/hzfHRWsF\n\tTED+zIXNsJfPpoDVr37BFX2V6WODeasGSxG7pEjnrDxW8s2bdTUQZIT/7QRdwCR4eBLUBQliV6k\n\tqwRSxKQ0+quPuk1YdEgzthSjQgXXJx/2R0244JvokKa9Z/8RvYut5Gq+vWlEdpx/ncYzu+lAnOe\n\tQXoZEpBMWPPoQmDjyJyTkJq+ZKNi/hB/wnX7p4qn/GVT4Bvpfr2fg==", "X-Received": "by 2002:a05:6214:765:b0:89c:637a:6bb with SMTP id\n 6a1803df08f44-8ac860e6200mr326656306d6.4.1776257309176;\n Wed, 15 Apr 2026 05:48:29 -0700 (PDT)", "From": "Michael Bommarito <michael.bommarito@gmail.com>", "To": "linux-mtd@lists.infradead.org,\n\tDavid Woodhouse <dwmw2@infradead.org>,\n\tRichard Weinberger <richard@nod.at>", "Cc": "Zhihao Cheng <chengzhihao1@huawei.com>,\n\tArtem Sadovnikov <a.sadovnikov@ispras.ru>,\n\tKees Cook <kees@kernel.org>,\n\tlinux-kernel@vger.kernel.org", "Subject": "[PATCH 1/2] jffs2: reject truncated summary node before header\n validation", "Date": "Wed, 15 Apr 2026 08:48:12 -0400", "Message-ID": "<20260415124813.246588-2-michael.bommarito@gmail.com>", "X-Mailer": "git-send-email 2.53.0", "In-Reply-To": "<20260415124813.246588-1-michael.bommarito@gmail.com>", "References": "<20260415124813.246588-1-michael.bommarito@gmail.com>", "MIME-Version": "1.0", "X-CRM114-Version": "20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ", "X-CRM114-CacheID": "sfid-20260415_054830_841583_FB145623 ", "X-CRM114-Status": "GOOD ( 13.61 )", "X-Spam-Score": "-2.1 (--)", "X-Spam-Report": "Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: jffs2_sum_scan_sumnode() is called from\n jffs2_scan_eraseblock()\n with sumsize derived from the on-flash jffs2_sum_marker::offset: sumlen =\n c->sector_size - je32_to_cpu(sm->offset);\n A crafted flash image can set sm->offset\n so that sumsize < JFFS2_SUMMARY_FRAME_SIZE (= sizeof(struct\n jffs2_raw_summary)\n + sizeof(struct jffs2_sum_marker) = 40,\n the minimum frame the writer at jffs2_su\n [...]\n Content analysis details: (-2.1 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no\n trust\n [2607:f8b0:4864:20:0:0:0:f2b listed in]\n [list.dnswl.org]\n -0.0 SPF_PASS SPF: sender matches SPF record\n 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record\n -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from\n envelope-from domain\n 0.1 DKIM_SIGNED Message has a DKIM or DK signature,\n not necessarily valid\n -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from\n author's\n domain\n -0.1 DKIM_VALID Message has at least one valid DKIM or DK\n signature\n -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n [score: 0.0000]\n 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail\n provider\n [michael.bommarito(at)gmail.com]", "X-BeenThere": "linux-mtd@lists.infradead.org", "X-Mailman-Version": "2.1.34", "Precedence": "list", "List-Id": "Linux MTD discussion mailing list <linux-mtd.lists.infradead.org>", "List-Unsubscribe": "<http://lists.infradead.org/mailman/options/linux-mtd>,\n <mailto:linux-mtd-request@lists.infradead.org?subject=unsubscribe>", "List-Archive": "<http://lists.infradead.org/pipermail/linux-mtd/>", "List-Post": "<mailto:linux-mtd@lists.infradead.org>", "List-Help": "<mailto:linux-mtd-request@lists.infradead.org?subject=help>", "List-Subscribe": "<http://lists.infradead.org/mailman/listinfo/linux-mtd>,\n <mailto:linux-mtd-request@lists.infradead.org?subject=subscribe>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Sender": "\"linux-mtd\" <linux-mtd-bounces@lists.infradead.org>", "Errors-To": "linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org" }, "content": "jffs2_sum_scan_sumnode() is called from jffs2_scan_eraseblock() with\nsumsize derived from the on-flash jffs2_sum_marker::offset:\n\n sumlen = c->sector_size - je32_to_cpu(sm->offset);\n\nA crafted flash image can set sm->offset so that\nsumsize < JFFS2_SUMMARY_FRAME_SIZE\n(= sizeof(struct jffs2_raw_summary) + sizeof(struct jffs2_sum_marker)\n= 40, the minimum frame the writer at jffs2_sum_write_sumnode() emits\nand the minimum sumlen that corresponds to a legitimate on-flash\nlayout). The function then reads the summary header unchecked:\n\n crcnode.totlen = summary->totlen; /* offset +4 */\n crc = crc32(0, &crcnode, sizeof(crcnode)-4);\n if (je32_to_cpu(summary->hdr_crc) != crc) /* offset +8 */\n goto crc_err;\n if (je32_to_cpu(summary->totlen) != sumsize)\n goto crc_err;\n crc = crc32(0, summary, sizeof(struct jffs2_raw_summary)-8);\n if (je32_to_cpu(summary->node_crc) != crc) /* offset +28 */\n goto crc_err;\n crc = crc32(0, summary->sum,\n sumsize - sizeof(struct jffs2_raw_summary));\n\nEach header read at offset +4, +8 and +28 of a too-small buffer is a\nslab out-of-bounds read. Worse, sumsize - sizeof(struct\njffs2_raw_summary) underflows in size_t and the final crc32() walks\n~16 EiB of memory, which translates to a kernel oops on mount once the\nwalk hits unmapped memory.\n\nReachable whenever a crafted JFFS2 flash image is mounted: typical in\nembedded systems where flash can be rewritten out-of-band (JTAG, SPI\nflasher, hostile firmware update) and the device auto-mounts JFFS2 on\nboot, or any CAP_SYS_ADMIN context that supplies the MTD backing.\n\nBounding on JFFS2_SUMMARY_FRAME_SIZE matches the actual on-flash frame\nlayout the writer emits and does not reject any legitimate image.\n\nReproduced on v7.0-rc7 under UML + CONFIG_KASAN=y with a 16 MiB\nblock2mtd-backed image whose first erase block's jffs2_sum_marker\npoints at sector_size; pre-fix:\n\n BUG: KASAN: slab-out-of-bounds in jffs2_sum_scan_sumnode+0x131/0x1611\n Read of size 4 at addr 00000000621fb004 by task mount/31\n Allocated by mtd_kmalloc_up_to via jffs2_scan_medium+0x246\n Located 4 bytes to the right of allocated 4096-byte region\n\nPost-fix the same image is rejected cleanly with a warning and mount\nfalls back to the full scan path.\n\nAssisted-by: Claude:claude-opus-4-6\nSigned-off-by: Michael Bommarito <michael.bommarito@gmail.com>\n---\n fs/jffs2/summary.c | 9 +++++++++\n 1 file changed, 9 insertions(+)", "diff": "diff --git a/fs/jffs2/summary.c b/fs/jffs2/summary.c\nindex 4521a7723f30..150a9c83cb05 100644\n--- a/fs/jffs2/summary.c\n+++ b/fs/jffs2/summary.c\n@@ -577,6 +577,15 @@ int jffs2_sum_scan_sumnode(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb\n \tint ret, ofs;\n \tuint32_t crc;\n \n+\t/* Reject frames that can't hold the header + marker the writer\n+\t * always emits (also blocks the sumsize - sizeof(*summary)\n+\t * size_t underflow at the sum_crc check below). */\n+\tif (sumsize < JFFS2_SUMMARY_FRAME_SIZE) {\n+\t\tJFFS2_WARNING(\"Summary node too small (%u bytes), skipping.\\n\",\n+\t\t\t sumsize);\n+\t\treturn 0;\n+\t}\n+\n \tofs = c->sector_size - sumsize;\n \n \tdbg_summary(\"summary found for 0x%08x at 0x%08x (0x%x bytes)\\n\",\n", "prefixes": [ "1/2" ] }