| From e4f6daac20332448529b11f09388f1d55ef2084c Mon Sep 17 00:00:00 2001 |
| From: Richard Weinberger <richard@nod.at> |
| Date: Sun, 21 Feb 2016 10:53:03 +0100 |
| Subject: ubi: Fix out of bounds write in volume update code |
| |
| From: Richard Weinberger <richard@nod.at> |
| |
| commit e4f6daac20332448529b11f09388f1d55ef2084c upstream. |
| |
| ubi_start_leb_change() allocates too few bytes. |
| ubi_more_leb_change_data() will write up to req->upd_bytes + |
| ubi->min_io_size bytes. |
| |
| Signed-off-by: Richard Weinberger <richard@nod.at> |
| Reviewed-by: Boris Brezillon <boris.brezillon@free-electrons.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/mtd/ubi/upd.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/mtd/ubi/upd.c |
| +++ b/drivers/mtd/ubi/upd.c |
| @@ -193,7 +193,7 @@ int ubi_start_leb_change(struct ubi_devi |
| vol->changing_leb = 1; |
| vol->ch_lnum = req->lnum; |
| |
| - vol->upd_buf = vmalloc(req->bytes); |
| + vol->upd_buf = vmalloc(ALIGN((int)req->bytes, ubi->min_io_size)); |
| if (!vol->upd_buf) |
| return -ENOMEM; |
| |