From patchwork Wed Mar 16 19:42:00 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kamal Mostafa X-Patchwork-Id: 598646 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3qQMNF4mnnz9s3T; Thu, 17 Mar 2016 06:43:09 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1agHLW-0003GT-BE; Wed, 16 Mar 2016 19:43:06 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1agHKW-0002fi-Dg for kernel-team@lists.ubuntu.com; Wed, 16 Mar 2016 19:42:04 +0000 Received: from 1.general.kamal.us.vpn ([10.172.68.52] helo=fourier) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1agHKV-0006iP-Vx; Wed, 16 Mar 2016 19:42:04 +0000 Received: from kamal by fourier with local (Exim 4.86) (envelope-from ) id 1agHKT-00020p-AF; Wed, 16 Mar 2016 12:42:01 -0700 From: Kamal Mostafa To: Richard Weinberger Subject: [3.19.y-ckt stable] Patch "ubi: Fix out of bounds write in volume update code" has been added to the 3.19.y-ckt tree Date: Wed, 16 Mar 2016 12:42:00 -0700 Message-Id: <1458157320-7700-1-git-send-email-kamal@canonical.com> X-Mailer: git-send-email 2.7.0 X-Extended-Stable: 3.19 Cc: Boris Brezillon , Kamal Mostafa , kernel-team@lists.ubuntu.com X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com This is a note to let you know that I have just added a patch titled ubi: Fix out of bounds write in volume update code to the linux-3.19.y-queue branch of the 3.19.y-ckt extended stable tree which can be found at: http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.19.y-queue This patch is scheduled to be released in version 3.19.8-ckt17. If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.19.y-ckt tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Kamal ---8<------------------------------------------------------------ From 1e737dac946880b5e7436bf8f9ea2fb27dca8b24 Mon Sep 17 00:00:00 2001 From: Richard Weinberger Date: Sun, 21 Feb 2016 10:53:03 +0100 Subject: ubi: Fix out of bounds write in volume update code commit e4f6daac20332448529b11f09388f1d55ef2084c upstream. ubi_start_leb_change() allocates too few bytes. ubi_more_leb_change_data() will write up to req->upd_bytes + ubi->min_io_size bytes. Signed-off-by: Richard Weinberger Reviewed-by: Boris Brezillon Signed-off-by: Kamal Mostafa --- drivers/mtd/ubi/upd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.7.0 diff --git a/drivers/mtd/ubi/upd.c b/drivers/mtd/ubi/upd.c index 2a1b6e0..0134ba3 100644 --- a/drivers/mtd/ubi/upd.c +++ b/drivers/mtd/ubi/upd.c @@ -193,7 +193,7 @@ int ubi_start_leb_change(struct ubi_device *ubi, struct ubi_volume *vol, vol->changing_leb = 1; vol->ch_lnum = req->lnum; - vol->upd_buf = vmalloc(req->bytes); + vol->upd_buf = vmalloc(ALIGN((int)req->bytes, ubi->min_io_size)); if (!vol->upd_buf) return -ENOMEM;