From: Xi Wang Date: Wed, 25 Apr 2012 18:45:22 +0000 (-0400) Subject: jffs2: validate symlink size in jffs2_do_read_inode_internal() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=7c80c352331a27cf0584f1701ed3a003984985f0;p=GitHub%2Fmt8127%2Fandroid_kernel_alcatel_ttab.git jffs2: validate symlink size in jffs2_do_read_inode_internal() `csize' is read from disk and thus needs validation. Otherwise a bogus value 0xffffffff would turn the subsequent kmalloc(csize + 1, ...) into kmalloc(0, ...), leading to out-of-bounds write. This patch limits `csize' to JFFS2_MAX_NAME_LEN, which is also used in jffs2_symlink(). Artem: we actually validate csize by checking CRC, so this 0xFFs cannot come from empty flash region. But I guess an attacker could feed JFFS2 an image with random csize value, including 0xFFs. Signed-off-by: Xi Wang Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse --- diff --git a/fs/jffs2/readinode.c b/fs/jffs2/readinode.c index dc0437e84763..9897f38af707 100644 --- a/fs/jffs2/readinode.c +++ b/fs/jffs2/readinode.c @@ -1266,6 +1266,12 @@ static int jffs2_do_read_inode_internal(struct jffs2_sb_info *c, /* Symlink's inode data is the target path. Read it and * keep in RAM to facilitate quick follow symlink * operation. */ + uint32_t csize = je32_to_cpu(latest_node->csize); + if (csize > JFFS2_MAX_NAME_LEN) { + mutex_unlock(&f->sem); + jffs2_do_clear_inode(c, f); + return -ENAMETOOLONG; + } f->target = kmalloc(je32_to_cpu(latest_node->csize) + 1, GFP_KERNEL); if (!f->target) { JFFS2_ERROR("can't allocate %d bytes of memory for the symlink target path cache\n", je32_to_cpu(latest_node->csize));