From patchwork Fri Aug 21 22:43:15 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Victor Gallardo <vgallardo@amcc.com>
X-Patchwork-Id: 31854
X-Patchwork-Delegate: dwmw2@infradead.org
Return-Path: 
 <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from bombadil.infradead.org (bombadil.infradead.org [18.85.46.34])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by bilbo.ozlabs.org (Postfix) with ESMTPS id A41E7B7087
	for <incoming@patchwork.ozlabs.org>;
	Sat, 22 Aug 2009 08:45:24 +1000 (EST)
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.69 #1 (Red Hat Linux))
	id 1MecpR-0008QV-6n; Fri, 21 Aug 2009 22:43:25 +0000
Received: from sdcmail02.amcc.com ([198.137.200.90])
	by bombadil.infradead.org with esmtps (Exim 4.69 #1 (Red Hat Linux))
	id 1MecpJ-0008Q5-P8
	for linux-mtd@lists.infradead.org; Fri, 21 Aug 2009 22:43:22 +0000
X-IronPort-AV: E=Sophos;i="4.44,252,1249282800"; d="scan'208";a="6236551"
Received: from sdcexch01.amcc.com (HELO sdcexchange01.amcc.com)
	([10.64.18.50])
	by sdcmail02-int1.amcc.com with ESMTP; 21 Aug 2009 15:43:15 -0700
Received: from amcc.com ([10.66.12.74]) by sdcexchange01.amcc.com with
	Microsoft SMTPSVC(6.0.3790.3959); Fri, 21 Aug 2009 15:43:15 -0700
Received: (from vgallard@localhost)
	by amcc.com (8.13.8/8.12.2/Submit) id n7LMhFXj021073;
	Fri, 21 Aug 2009 15:43:15 -0700
From: Victor Gallardo <vgallardo@amcc.com>
To: linux-mtd@lists.infradead.org
Subject: [PATCH] [JFFS2] Fix csize integer overflow issue due to truncation
Date: Fri, 21 Aug 2009 15:43:15 -0700
Message-Id: <1250894595-21052-1-git-send-email-vgallardo@amcc.com>
X-Mailer: git-send-email 1.5.5
X-OriginalArrivalTime: 21 Aug 2009 22:43:15.0807 (UTC)
	FILETIME=[C596E6F0:01CA22B0]
X-Spam-Score: 0.0 (/)
Cc: Prodyut Hazarika <phazarika@amcc.com>, linuxppc-dev@ozlabs.org,
	Victor Gallardo <vgallardo@amcc.com>, Feng Kan <fkan@amcc.com>
X-BeenThere: linux-mtd@lists.infradead.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Linux MTD discussion mailing list <linux-mtd.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-mtd/>
List-Post: <mailto:linux-mtd@lists.infradead.org>
List-Help: <mailto:linux-mtd-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=subscribe>
MIME-Version: 1.0
Sender: linux-mtd-bounces@lists.infradead.org
Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

This fixes a kernel BUG_ON(tn->size == 0) panic in check_node_data
due to integer overflow in read_dnone().

The code incorrectly assigns a uin32_t local variable (csize) to
uint16_t structure member in jffs2_tmp_dnode_info. This results
in an overflow when the local variable csize is greater than
65536 (0x10000)

This issue is seen when kernel PAGE_SIZE is 64K.

The following example illustrates the issue:

fs/jffs2/nodelist.h
  struct jffs2_tmp_dnode_info
  {
    ...
    uint16_t csize;
    ...
  };

fs/jffs2/readinode.c
  static inline int read_dnode(...)
  {
    struct jffs2_tmp_dnode_info *tn;
    uint32_t len, csize;
    ...
    csize = je32_to_cpu(rd->csize);
    ...
    tn->csize = csize;  // <=== result truncated if > 0x10000
    ...
  }

  static int check_node_data(...)
  {
    ...
    BUG_ON(tn->csize == 0);
    ...
  }

Signed-off-by: Victor Gallardo <vgallardo@amcc.com>
Acked-by: Prodyut Hazarika <phazarika@amcc.com>
Acked-by: Feng Kan <fkan@amcc.com>
---
 fs/jffs2/nodelist.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/fs/jffs2/nodelist.h b/fs/jffs2/nodelist.h
index 507ed6e..67f36c3 100644
--- a/fs/jffs2/nodelist.h
+++ b/fs/jffs2/nodelist.h
@@ -231,7 +231,7 @@ struct jffs2_tmp_dnode_info
 	uint32_t version;
 	uint32_t data_crc;
 	uint32_t partial_crc;
-	uint16_t csize;
+	uint32_t csize;
 	uint16_t overlapped;
 };