From: Adrian Hunter Date: Fri, 26 Sep 2008 09:52:21 +0000 (+0300) Subject: UBIFS: check buffer length when scanning for LPT nodes X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=be2f6bd62d0d4246a9227dacbe2469e1f0eccf26;p=GitHub%2Fexynos8895%2Fandroid_kernel_samsung_universal8895.git UBIFS: check buffer length when scanning for LPT nodes 'is_a_node()' function was reading from a buffer before checking the buffer length, resulting in an OOPS as follows: BUG: unable to handle kernel paging request at f8f74002 IP: [] :ubifs:ubifs_unpack_bits+0xca/0x233 *pde = 19e95067 *pte = 00000000 Oops: 0000 [#1] PREEMPT SMP Modules linked in: ubifs ubi mtdchar bio2mtd mtd brd video output [last unloaded: mtd] Pid: 6414, comm: integck Not tainted (2.6.27-rc6ubifs34 #23) EIP: 0060:[] EFLAGS: 00010246 CPU: 0 EIP is at ubifs_unpack_bits+0xca/0x233 [ubifs] EAX: 00000000 EBX: f6090630 ECX: d9badcfc EDX: 00000000 ESI: 00000004 EDI: f8f74002 EBP: d9badcec ESP: d9badcc0 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 Process integck (pid: 6414, ti=d9bac000 task=f727dae0 task.ti=d9bac000) Stack: 00000006 f7306240 00000002 00000000 d9badcfc d9badd00 0000001c 00000000 f6090630 f6090630 f8f74000 d9badd10 f8fa1cc9 00000000 f8f74002 00000000 f8f74002 f60fe128 f6090630 f8f74000 d9badd68 f8fa1e46 00000000 0001e000 Call Trace: [] ? is_a_node+0x30/0x90 [ubifs] [] ? dbg_check_ltab+0x11d/0x5bd [ubifs] [] ? ubifs_lpt_start_commit+0x42/0xed3 [ubifs] [] ? mutex_unlock+0x8/0xa [] ? ubifs_tnc_start_commit+0x1c8/0xedb [ubifs] [] ? do_commit+0x187/0x523 [ubifs] [] ? mutex_unlock+0x8/0xa [] ? bud_wbuf_callback+0x22/0x28 [ubifs] [] ? ubifs_run_commit+0x76/0xc0 [ubifs] [] ? ubifs_sync_fs+0xd2/0xe6 [ubifs] [] ? vfs_quota_sync+0x0/0x17e [] ? quota_sync_sb+0x26/0xbb [] ? vfs_quota_sync+0x0/0x17e [] ? sync_dquots+0x22/0x12c [] ? __fsync_super+0x19/0x68 [] ? fsync_super+0xb/0x19 [] ? generic_shutdown_super+0x22/0xe7 [] ? vfs_quota_off+0x0/0x5fd [] ? ubifs_kill_sb+0x31/0x35 [ubifs] [] ? deactivate_super+0x5e/0x71 [] ? mntput_no_expire+0x82/0xe4 [] ? sys_umount+0x4c/0x2f6 [] ? sys_oldumount+0x19/0x1b [] ? sysenter_do_call+0x12/0x25 ======================= Code: c1 f8 03 8d 04 07 8b 4d e8 89 01 8b 45 e4 89 10 89 d8 89 f1 d3 e8 85 c0 74 07 29 d6 83 fe 20 75 2a 89 d8 83 c4 20 5b 5e 5f 5d EIP: [] ubifs_unpack_bits+0xca/0x233 [ubifs] SS:ESP 0068:d9badcc0 ---[ end trace 1f02572436518c13 ]--- Signed-off-by: Adrian Hunter --- diff --git a/fs/ubifs/lpt_commit.c b/fs/ubifs/lpt_commit.c index 8546865a9104..eed5a0025d63 100644 --- a/fs/ubifs/lpt_commit.c +++ b/fs/ubifs/lpt_commit.c @@ -1089,6 +1089,8 @@ static int is_a_node(struct ubifs_info *c, uint8_t *buf, int len) int pos = 0, node_type, node_len; uint16_t crc, calc_crc; + if (len < UBIFS_LPT_CRC_BYTES + (UBIFS_LPT_TYPE_BITS + 7) / 8) + return 0; node_type = ubifs_unpack_bits(&addr, &pos, UBIFS_LPT_TYPE_BITS); if (node_type == UBIFS_LPT_NOT_A_NODE) return 0;