On Sun, Jul 1, 2018 at 6:22 PM, Greg Kroah-Hartman <[email protected]> wrote: > 4.17-stable review patch. If anyone has any objections, please let me know. > > ------------------ > > From: Silvio Cesare <[email protected]> > > commit 353748a359f1821ee934afc579cf04572406b420 upstream. > > There is potential for the size and len fields in ubifs_data_node to be > too large causing either a negative value for the length fields or an > integer overflow leading to an incorrect memory allocation. Likewise, > when the len field is small, an integer underflow may occur. > > Signed-off-by: Silvio Cesare <[email protected]> > Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system") > Cc: [email protected] > Signed-off-by: Kees Cook <[email protected]> > Signed-off-by: Greg Kroah-Hartman <[email protected]>
Guys, this patch was never on linux-mtd nor was I CC'ed. I don't see it so super security critical which argues to bypass the whole community review process. Anyway, I don't like this patch for two reasons. 1. Instead of doing the kmalloc_array() dance, just check whether size is 0 > and <= UBIFS_BLOCK_SIZE, in the caller. 2. It will not apply to most stable kernels since it targets the code path with UBIFS encryption available. -- Thanks, //richard
