| From 08acbdd6fd736b90f8d725da5a0de4de2dd6de62 Mon Sep 17 00:00:00 2001 |
| From: Richard Weinberger <richard@nod.at> |
| Date: Sun, 1 Jul 2018 23:20:50 +0200 |
| Subject: Revert "UBIFS: Fix potential integer overflow in allocation" |
| |
| From: Richard Weinberger <richard@nod.at> |
| |
| commit 08acbdd6fd736b90f8d725da5a0de4de2dd6de62 upstream. |
| |
| This reverts commit 353748a359f1821ee934afc579cf04572406b420. |
| It bypassed the linux-mtd review process and fixes the issue not as it |
| should. |
| |
| Cc: Kees Cook <keescook@chromium.org> |
| Cc: Silvio Cesare <silvio.cesare@gmail.com> |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Richard Weinberger <richard@nod.at> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/ubifs/journal.c | 5 ++--- |
| 1 file changed, 2 insertions(+), 3 deletions(-) |
| |
| --- a/fs/ubifs/journal.c |
| +++ b/fs/ubifs/journal.c |
| @@ -1283,11 +1283,10 @@ static int truncate_data_node(const stru |
| int *new_len) |
| { |
| void *buf; |
| - int err, compr_type; |
| - u32 dlen, out_len, old_dlen; |
| + int err, dlen, compr_type, out_len, old_dlen; |
| |
| out_len = le32_to_cpu(dn->size); |
| - buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS); |
| + buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS); |
| if (!buf) |
| return -ENOMEM; |
| |