From patchwork Fri Aug 21 22:43:15 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [JFFS2] Fix csize integer overflow issue due to truncation X-Patchwork-Submitter: Victor Gallardo X-Patchwork-Id: 31854 X-Patchwork-Delegate: dwmw2@infradead.org Message-Id: <1250894595-21052-1-git-send-email-vgallardo@amcc.com> To: linux-mtd@lists.infradead.org Cc: Prodyut Hazarika , linuxppc-dev@ozlabs.org, Victor Gallardo , Feng Kan Date: Fri, 21 Aug 2009 15:43:15 -0700 From: Victor Gallardo List-Id: Linux MTD discussion mailing list This fixes a kernel BUG_ON(tn->size == 0) panic in check_node_data due to integer overflow in read_dnone(). The code incorrectly assigns a uin32_t local variable (csize) to uint16_t structure member in jffs2_tmp_dnode_info. This results in an overflow when the local variable csize is greater than 65536 (0x10000) This issue is seen when kernel PAGE_SIZE is 64K. The following example illustrates the issue: fs/jffs2/nodelist.h struct jffs2_tmp_dnode_info { ... uint16_t csize; ... }; fs/jffs2/readinode.c static inline int read_dnode(...) { struct jffs2_tmp_dnode_info *tn; uint32_t len, csize; ... csize = je32_to_cpu(rd->csize); ... tn->csize = csize; // <=== result truncated if > 0x10000 ... } static int check_node_data(...) { ... BUG_ON(tn->csize == 0); ... } Signed-off-by: Victor Gallardo Acked-by: Prodyut Hazarika Acked-by: Feng Kan --- fs/jffs2/nodelist.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/fs/jffs2/nodelist.h b/fs/jffs2/nodelist.h index 507ed6e..67f36c3 100644 --- a/fs/jffs2/nodelist.h +++ b/fs/jffs2/nodelist.h @@ -231,7 +231,7 @@ struct jffs2_tmp_dnode_info uint32_t version; uint32_t data_crc; uint32_t partial_crc; - uint16_t csize; + uint32_t csize; uint16_t overlapped; };