jffs2: validate symlink size in jffs2_do_read_inode_internal() - drm/drm-misc - Kernel DRM miscellaneous fixes and cross-tree changes

diff options

author	Xi Wang <xi.wang@gmail.com>	2012-04-25 14:45:22 -0400
committer	David Woodhouse <David.Woodhouse@intel.com>	2012-05-13 23:05:15 -0500
commit	7c80c352331a27cf0584f1701ed3a003984985f0 (patch)
tree	3c90b8d5a23cf563fb40a9866bc8dcf11af4b2fc /fs/jffs2/README.Locking
parent	8abc0d4a1181b44e0a42cadab4a15f8c6aa42451 (diff)

jffs2: validate symlink size in jffs2_do_read_inode_internal()

`csize' is read from disk and thus needs validation. Otherwise a bogus value 0xffffffff would turn the subsequent kmalloc(csize + 1, ...) into kmalloc(0, ...), leading to out-of-bounds write. This patch limits `csize' to JFFS2_MAX_NAME_LEN, which is also used in jffs2_symlink(). Artem: we actually validate csize by checking CRC, so this 0xFFs cannot come from empty flash region. But I guess an attacker could feed JFFS2 an image with random csize value, including 0xFFs. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Diffstat (limited to 'fs/jffs2/README.Locking')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: