Commit 1bc1f0f7 authored Jul 01, 2018 by Richard Weinberger Committed by Greg Kroah-Hartman Sep 09, 2018

ubifs: Check data node size before truncate



commit 95a22d2084d72ea067d8323cc85677dba5d97cae upstream.

Check whether the size is within bounds before using it.
If the size is not correct, abort and dump the bad data node.

Cc: Kees Cook <keescook@chromium.org>
Cc: Silvio Cesare <silvio.cesare@gmail.com>
Cc: stable@vger.kernel.org
Fixes: 1e51764a ("UBIFS: add new flash file system")
Reported-by: Silvio Cesare <silvio.cesare@gmail.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 48e11484

fs/ubifs/journal.c

+10 −1

Original line number	Diff line number	Diff line
		@@ -1344,7 +1344,16 @@ int ubifs_jnl_truncate(struct ubifs_info c, const struct inode inode,
		else if (err)
		goto out_free;
		else {
		if (le32_to_cpu(dn->size) <= dlen)
		int dn_len = le32_to_cpu(dn->size);

		if (dn_len <= 0 \|\| dn_len > UBIFS_BLOCK_SIZE) {
		ubifs_err(c, "bad data node (block %u, inode %lu)",
		blk, inode->i_ino);
		ubifs_dump_node(c, dn);
		goto out_free;
		}

		if (dn_len <= dlen)
		dlen = 0; /* Nothing to do */
		else {
		int compr_type = le16_to_cpu(dn->compr_type);