Message ID | ae901608-0580-010a-26e3-99d0b704b88b@oracle.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp2793127wru; Tue, 15 Nov 2022 07:31:57 -0800 (PST) X-Google-Smtp-Source: AA0mqf6QPcR56fHFA/QpPypXGRqN0UPgs6vLPBh8o5r1SYt1fjHLI8wqQOAjYId4SwBN2S6guPdp X-Received: by 2002:a17:906:1b4f:b0:7ad:a030:4816 with SMTP id p15-20020a1709061b4f00b007ada0304816mr13988264ejg.765.1668526317171; Tue, 15 Nov 2022 07:31:57 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1668526317; cv=pass; d=google.com; s=arc-20160816; b=n1WaNyYHTrYVDOY78nK2qdfw92J2atNSvDN8Y7HOkQmYrUWqwAJl1dNfLLeMalc5af KRBwH0+7HXTdMLeoOdDIMdfJo2wQ0H7lkUynK4OlFF/AVeCvJ61fyQLYN+WB/hkXzKqW byBXAVky/M5lYNPGZ8EYl2Y5VNPm1oUcWOOY0QomUNpXzRAZVEnYeZc9goJa93pLgg93 Ry2XNxmVOM0kFO9kVqwLCQiZWFETe+c4X9NgCU047iMN/MXketP7DbcKyEHyFupJdhn+ YQmqgeUd4F88dyYrPZq1pqiBSWR+KKQMMRToMDxHVO2TsBUd7To2JZ1EBzNM42hO6OJm A1+A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding:cc:to :subject:from:content-language:user-agent:date:message-id :dkim-signature:dkim-signature; bh=1/vGzofdEFnzN3S5ulw5ztUM0Gh4g11ZLLOup79gDII=; b=ETqizpIvKVW3CT3mUithyhUPgpwEsLOOwZVkRFBhND9QakOJ0LIpPNQbIzH7O5nsoM nspjuR9MKxXkZ2h2Chzx7xuRmMs+mhygf1h+RXdalPtZqbxHi7y4q8lOZ9jWUtf24Zdu oAy/yMnP9EWhopN26g3oTqMVheSPTO//PHj0dHzXWZNmPjamaUmBT3Yrx59BFeVQu2ME 6lfc17T7FEgbavWjAEolbslGQ/oNGf8IdeZm+hnHU5Qq8P8xg5g6jc8k9ByS7U6ShcgT QKL5hPdkA2K5EpqaSoDRrifk8T9V8G59pBYrOEIdM8s8xGFFoky/mRu+XQHY53w2Qcx5 29Dw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=fVg4yLab; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=A7oyMY4e; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sb40-20020a1709076da800b007aec979f83bsi10998408ejc.745.2022.11.15.07.31.16; Tue, 15 Nov 2022 07:31:57 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=fVg4yLab; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=A7oyMY4e; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230499AbiKOPQG (ORCPT <rfc822;maxim.cournoyer@gmail.com> + 99 others); Tue, 15 Nov 2022 10:16:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51308 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230347AbiKOPQE (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Tue, 15 Nov 2022 10:16:04 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 871B827FC5 for <linux-kernel@vger.kernel.org>; Tue, 15 Nov 2022 07:16:03 -0800 (PST) Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2AFDuVAK022483; Tue, 15 Nov 2022 15:15:10 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=message-id : date : from : subject : to : cc : content-type : content-transfer-encoding : mime-version; s=corp-2022-7-12; bh=1/vGzofdEFnzN3S5ulw5ztUM0Gh4g11ZLLOup79gDII=; b=fVg4yLabyu184P4SSuLeBgsop/MZGVeTumwF5CqbnEywj2YJWJ/X+qLDMWV+5xJ1L5Ok UKW0Q1+hbQ2Zp1nWD56a6DcFlWdxkdzWLYLi7DxK0TdtAxE+jcqC0rdwwAfOiIQqBbRw 9Xs67DNsbrPGg5qHpZPFQ2sgEcCtAjEOs9UCarx1cywkFV5j7KVC0ogUtm8CmTgIAmsM LJy9R8ehqaGB2HKCG/W0UhJcFpj4GOJ19vTK/JrIvK4t26qGdzMTMDh+0jsamuTwiPGi WJabeNlnufD600fetR/HXIw2U+Adn8fuDdeQQZENApZ+yaAHf6e/+m1iqpcNzteU7tma +w== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3kv3ns1py2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 15 Nov 2022 15:15:09 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2AFE5a9d034895; Tue, 15 Nov 2022 15:15:03 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2172.outbound.protection.outlook.com [104.47.59.172]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3kt1x5w124-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 15 Nov 2022 15:15:03 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=G4Q+i9j9piZgwWrMy/mayf3DIiT70O9FM9LkTYFWBw4LSg+ieIBtOBQanRFt++lnZRaXNBU+iWH+frSQJEvNeu/vP1Et6NGhe0yllz/8YVrBYrg7/uniJHBLzivuU+VIiNP9ywZuTDLbs9KNTbYPkODXg9NWkCLikjEiH+e+h6TcJp54zyEn9M5IllQR2+HByyJbVWxNSEjmmOLDYVSKQ+vLP5CKMDQmNmLa+2zOZF1lCz0DwVKszAuvx+/cOewWkUJcGv6c9jvfceTpUXqNcEixrtit7pau1KTDyUosb1dPLT4PIZHytTvdqfbcwavqzI+yyAeWTMnjKnGpp6YBvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1/vGzofdEFnzN3S5ulw5ztUM0Gh4g11ZLLOup79gDII=; b=UjFvRAEM6cw7VQe8EcBCWnrh7haHmUG9bhKJaIMHAbGDFI+TcRIK5p4Pjx+b5WUIIwlcTRB5iG/VZ18cvDJ6zbm6IcXBpqKOCg2SpoEfXW4GakPw/0BEguNWihhZTqu9O/4ddtnrmMir5gaJkmZqZ8c42bEd9vRlIoeAk9riXs9vEeHJs+BgXlWXIkh2aWo2GOKnX523BsKFyElvi2UXjsjkZ+U8ndAV2QlAXZ/cKuJJdP6OuBz64/EDvIq0qjUVlCX0R/WDEOcqb+dYbxfrxkVDTCX9dN5Ku4EOFqHJ1Fgx58Z7YPwuBf1HcSBV9F4A1W+6QMshwBcL0snFbs0Pew== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1/vGzofdEFnzN3S5ulw5ztUM0Gh4g11ZLLOup79gDII=; b=A7oyMY4eJAUxdaZbYLP0abuj0Sa0RWNNRwEdwiwoOrQS/Bo/QJ+lIS+K2sZNlrc9Oema+IzFRK5MkqQGO5SoDX5ZDm7vdO7qKYKhU9lO+NjYl6UHvcmkU26Siwwq38Rlht2aU6P2hfCy+9nvXPxkiNKgLJcvRSExKftjM9/iOEk= Received: from PH0PR10MB5895.namprd10.prod.outlook.com (2603:10b6:510:14c::22) by PH7PR10MB6674.namprd10.prod.outlook.com (2603:10b6:510:20c::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5813.17; Tue, 15 Nov 2022 15:15:01 +0000 Received: from PH0PR10MB5895.namprd10.prod.outlook.com ([fe80::5900:4c18:5b47:6a9e]) by PH0PR10MB5895.namprd10.prod.outlook.com ([fe80::5900:4c18:5b47:6a9e%3]) with mapi id 15.20.5813.018; Tue, 15 Nov 2022 15:15:01 +0000 Message-ID: <ae901608-0580-010a-26e3-99d0b704b88b@oracle.com> Date: Tue, 15 Nov 2022 10:14:44 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.4.1 Content-Language: en-US From: George Kennedy <george.kennedy@oracle.com> Subject: [PATCH] ubi: ensure that VID header offset + VID header size <= alloc, size To: richard@nod.at, miquel.raynal@bootlin.com, vigneshr@ti.com Cc: eorge.kennedy@oracle.com, linux-mtd@lists.infradead.org, syzkaller@googlegroups.com, linux-kernel@vger.kernel.org, harshit.m.mogalapalli@oracle.com Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-ClientProxiedBy: DM6PR07CA0077.namprd07.prod.outlook.com (2603:10b6:5:337::10) To PH0PR10MB5895.namprd10.prod.outlook.com (2603:10b6:510:14c::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH0PR10MB5895:EE_|PH7PR10MB6674:EE_ X-MS-Office365-Filtering-Correlation-Id: c5f33908-7ddf-4912-6223-08dac71c2978 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: bt+lX+P69IsNO8TmSzLh9rThRZA8iWbi6jmMP94A2xubGju1qMvHEAOZjZVBnwzt9/ORUkcnLKvjoFPLq2T+5GBi8xHf0vqHkpUKkN/xivaZtVcKEvt4msSIIth8+DnzTNQKVESOGgPcfLABduecBpaEwtA9wE+xwX0mYqD9Fhwz3dno14+xpDYUtKbjBBmIqQS8Yq6e5CoDg5ldXlh9eXvbUOtODhP6WWxm71F82LKCPWHmHX+27KQDzv3wCwMBDtDcfTZnkdCuwZxvrk9IEH0BMq3kP8QopwXcwHGpo+8E/X8wRLjctcVx3ii865HIpgbJiLbGe039yfpdvIxzH7hoY2CMWr+jytgxFGheWf8TxDn9c65a0D5sXB3YGZRyUSEvsBba9UGMQkdNcleoBes8UBJO8F2UMGQzADQZgAaZYT9SiCKAEDMqEITV0sp9zHZFZ2OQvS33qb4r/I2NiC3k96mrsX94cPKQGfNVswUbWlCwz358W8wBGwfFRge6f4e2oeHxPohuoqXodsk0gpwJvbKohLswqAtuZtjLtX90R3NGLJwaGEhbzTI/nUkmPJvwx6BFRcayq34pBT2xxQT5WlhYn4O9RXrUxAaizDKwIc5nmMdEkPEEZgDJfr71/2dbZ55DfejGgBE2TOLm0AJBFfN8mdAKEE7OyS8g5Pcp7OSz32fUaDaqrhU7aWI/D6sOs/+oZQpdUNrdbg6dfLcR1cKVE8/ptmkcByGWaEuyWxr2f4Tkri7oEQLCxQaACkczv0Uwml4jcsGAlzLTR8KPVDgWcDaHFEyIHSNGVEvwx4KNInmD//HLdeE3Tay9SCVjfSdi4GedRmAmaKYudQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR10MB5895.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(376002)(346002)(136003)(39860400002)(396003)(366004)(451199015)(316002)(6506007)(36756003)(2906002)(26005)(83380400001)(41300700001)(2616005)(8936002)(44832011)(6512007)(66556008)(4326008)(66476007)(8676002)(66946007)(31686004)(5660300002)(186003)(478600001)(6486002)(107886003)(86362001)(38100700002)(31696002)(6666004)(45980500001)(43740500002)(505234007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?x21zhRRvbKNXWy86d4vh1dHJxvb2?= =?utf-8?q?9sFap920jkVR6HLCk6ChvqxWdz9LbFeGFGqCgs83idD9VSTZ+me4woPMA7eEig8za?= =?utf-8?q?yR0/vv9AadzWtIRAWscseHe5Oeb5qxHlOPm7tuJpGm89doFuz6DKXu/bkIgcml8Eh?= =?utf-8?q?xU6+cd6a8boZqvWmy/x50yXz+8bv8XuMhmX6B4o4HyzI5gNZyP4/BxrzxuH7paPus?= =?utf-8?q?jCxsNJ1cknUPUmRp+Su0ierSqFeP0t5ghTgK++0Mdfk9m0YZ3LRA8Kvy3Q/Dz83tm?= =?utf-8?q?MNZWa3I10IYdC+cbWPr5rOUyGee+atFTrDCtt504Sns+XT57fCRxT/t+sRpkL8v+n?= =?utf-8?q?6+IRrEGGF/D6ZjnOX9Pgrbv+TKOg4rJmeiMiuZzw5VrkbyyBBCqwa22NR60hzYSzR?= =?utf-8?q?ZTMrTWR2SKUZ4RENPvAXhqmi0Lttv10QDZGHdRiggeE8FVnhGpwbyU9/M+4xAnyEh?= =?utf-8?q?erQSQK90eQEWVOrD0gpvYiM466hJs1uDbvnIUgb59n7HyYJKINrxzLeglU7OJuR71?= =?utf-8?q?b7YNb/+VkK4sp2z1YKPmIK6rS+owmwoafZEzF2UnLe3+b/SGiuziV0wX+gkz6LWEB?= =?utf-8?q?7vpjvN1lMDTWk4pebW8Biyoi/yRboOfz54oPnLf+FCmuiPyy76HrxYQ6+CDu62YIw?= =?utf-8?q?+pFc3vEwrhDX12X+bCePP1CumqBPIWNI0HtVRN601fmyEBQApo26YUWItAz8aNWA9?= =?utf-8?q?0vEhAj3tMdzLBOm5JfozyB+rMmoNnMa/QsVKFCsIcr+WK1direOfuWoGchJ9LM4wW?= =?utf-8?q?PYtqM7kmn5uW748uxioY+6AKk3yF02Z2MbwJkdKiG98c9S+pHm7SZkok2XOxBHRI1?= =?utf-8?q?A0kyVJKxIS79mWVB6dg0wDkwMFWfF3YrMGdkz6fkBkPLXT7r+VMUSIhrHPD7vAJgx?= =?utf-8?q?59cFEWgv8H0PD/avG3JE+3ofrzOpyvP5bReDxZROuOtXSi8cbi3qdOL6JhmoAJrtW?= =?utf-8?q?epB3KWEuqYiu5YarPNlermOxumU5z3iOtm64No6esmeoS/zjMSeNGua2fXVbGZZ5m?= =?utf-8?q?px4gElfMsqPzdTBvNBLMSNbw30ZJL6AmRVDWpWireGKCskxzJU5BO9FigFtClLruD?= =?utf-8?q?Z/cVTIGphgY9JL3CSSV9hMzBX64ICJSyDMmuSowoQTnGu4Hxbmafxc27sftIyENJR?= =?utf-8?q?frp6+FhEiDszm1X1Iv9FX5ir+LfHf9mVIQcLoYsnj02rSAPqNMHswrpU7/A8e1A71?= =?utf-8?q?RAuTKmThMIwzQAJKyz4mgsB/dUJ0UcqyTsYO+OtOsaHpSUnnDbtRCcNNBq8XAPKDS?= =?utf-8?q?yLoqT42SQ5w+phTWEX45rvIgm4lX6c/9G2WpJWfYbRvkupcxWh2DIC826ufpoJsy3?= =?utf-8?q?ca/A68j5tkYVhWnHHGGTlCRqgqbX/oZPyOTWPTYqzvby05Zy9GbV+knHP9xW/1yiI?= =?utf-8?q?YSsVm27LUvvaQFNMFZZNG3rc3VhDDQbmVlE504l4TVdLzFSY40EoYSsoOgrBq8CtP?= =?utf-8?q?QLlkPMOFflzlk+Tj86yY8YIKSb7F9Ln6ZZNgIlw9yCNlQJ1eGOM9ZocvFvU8ioAxD?= =?utf-8?q?vcd8LTmH8EKXoaNX21PN5e0mkxfr8XIUEQ=3D=3D?= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: =?utf-8?q?Ym7Tn7xFPZLwelqU?= =?utf-8?q?tKRjuatzINCm3YhEVwdj22ODeDOeF6UOO6RI68OfTLWVBJvZ8gt80c7+EIje+CPiV?= =?utf-8?q?L8CgcQ3HU1R0/QKPcXlhbi9PdDKfwe/wJZ1PeEcsgyve3z1clE7Qk8SCb7aW3wunn?= =?utf-8?q?msVvPL+av5AsPScnyZdDaolR9D/veU1K9HesEGjZyu4c7/PrMyVqZVaY6Tdcyvb1m?= =?utf-8?q?Vtv65nq0eIKGtOByjwZqaoRFnpk1gs2V/BTCAX4FRRu0W56DWcCDvDsIJnAH2RtZJ?= =?utf-8?q?Og3jpYi7SH1xTFUVaiXlptlzPnRL0E6sc45HZVhd0xrTHyH+OBFRVpMs+eyavmCd4?= =?utf-8?q?/dfD4wkZkg7kK9AjgSPsWk4pphIwgxvXMoFSCteoiQmFYU0NfAvjyv9GY09HxnMul?= =?utf-8?q?5YGYORW+ZZrL0qRI0gExYdiykMUeMcc5l3jrG1VVLnivkbPUQqCRmHEi4MLcgapqr?= =?utf-8?q?sfS3GTwms+wr1SiXXmCt3YhtkA9ibOkTIbXw2NOXMpTY+hrpt9t147V3zG8hONHak?= =?utf-8?q?uZ/0LLwppNyPk3EOEb8EVbX93D7a42XQrPN9nie5B/bkRrRYaDPU6bf4t8goqnUlH?= =?utf-8?q?Y05yhKqZ5WsjKr+svjjcviRpK3i7zR5ne9Id8D7WItA8wqgpdtjLhP3HsdSPLvwNI?= =?utf-8?q?5U5EGt+9L3vLtkxzBiC2vQG9blDucAQ4QsoLzuorDf2eeJ4SiAS5MXl5GbePXMoOI?= =?utf-8?q?7ic5lzdREIR7sGQSbF0KjcRFbqfKyMqZV6KghYGAjYL1yHjSY+H8zCpjKJE0otC0M?= =?utf-8?q?w3m5eucYxwtdYjXFyqNu8mMJUhy8UHxVggW/PlxREvG60hJ4PstSA0zT9HDV41Wia?= =?utf-8?q?v0dyj19CgmP0LNy2oVKvAaS9ngy2jCB13CX9lidfq5BPNeHUfYU9uCYrBz3r1GfLu?= =?utf-8?q?1904w+f+d80TWcQFd/VT2EJEOy12+MgSKa?= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: c5f33908-7ddf-4912-6223-08dac71c2978 X-MS-Exchange-CrossTenant-AuthSource: PH0PR10MB5895.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Nov 2022 15:15:01.0269 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: t6JxC58OvIyJ7bbHg9LEteTwIHOtGAdztwdWQrEsp3w5YgFfr7mL5qIi5bskNii2/FyilNWdls0jRuaiih8vWWvjbhBj+CVkZG8IHUsPmhg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR10MB6674 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-11-15_08,2022-11-15_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 bulkscore=0 phishscore=0 spamscore=0 mlxlogscore=999 suspectscore=0 malwarescore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2211150102 X-Proofpoint-GUID: 7vqFN_6kCxP146Qf2Zh5UFhplGhylBgK X-Proofpoint-ORIG-GUID: 7vqFN_6kCxP146Qf2Zh5UFhplGhylBgK X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HEXHASH_WORD,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1749576651544310048?= X-GMAIL-MSGID: =?utf-8?q?1749576651544310048?= |
Series |
ubi: ensure that VID header offset + VID header size <= alloc, size
|
|
Commit Message
George Kennedy
Nov. 15, 2022, 3:14 p.m. UTC
Ensure that the VID header offset + VID header size does not exceed the allocated area to avoid slab OOB. BUG: KASAN: slab-out-of-bounds in crc32_body lib/crc32.c:111 [inline] BUG: KASAN: slab-out-of-bounds in crc32_le_generic lib/crc32.c:179 [inline] BUG: KASAN: slab-out-of-bounds in crc32_le_base+0x58c/0x626 lib/crc32.c:197 Read of size 4 at addr ffff88802bb36f00 by task syz-executor136/1555 CPU: 2 PID: 1555 Comm: syz-executor136 Tainted: G W 6.0.0-1868 #1 Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7860+a7792d29 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x85/0xad lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold.13+0xb6/0x6bb mm/kasan/report.c:433 kasan_report+0xa7/0x11b mm/kasan/report.c:495 crc32_body lib/crc32.c:111 [inline] crc32_le_generic lib/crc32.c:179 [inline] crc32_le_base+0x58c/0x626 lib/crc32.c:197 ubi_io_write_vid_hdr+0x1b7/0x472 drivers/mtd/ubi/io.c:1067 create_vtbl+0x4d5/0x9c4 drivers/mtd/ubi/vtbl.c:317 create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline] ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812 ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601 ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965 ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0x0 RIP: 0033:0x7f96d5cf753d Code: RSP: 002b:00007fffd72206f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f96d5cf753d RDX: 0000000020000080 RSI: 0000000040186f40 RDI: 0000000000000003 RBP: 0000000000400cd0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400be0 R13: 00007fffd72207e0 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 1555: kasan_save_stack+0x20/0x3d mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:437 [inline] ____kasan_kmalloc mm/kasan/common.c:516 [inline] __kasan_kmalloc+0x88/0xa3 mm/kasan/common.c:525 kasan_kmalloc include/linux/kasan.h:234 [inline] __kmalloc+0x138/0x257 mm/slub.c:4429 kmalloc include/linux/slab.h:605 [inline] ubi_alloc_vid_buf drivers/mtd/ubi/ubi.h:1093 [inline] create_vtbl+0xcc/0x9c4 drivers/mtd/ubi/vtbl.c:295 create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline] ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812 ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601 ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965 ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0x0 The buggy address belongs to the object at ffff88802bb36e00 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 0 bytes to the right of 256-byte region [ffff88802bb36e00, ffff88802bb36f00) The buggy address belongs to the physical page: page:00000000ea4d1263 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2bb36 head:00000000ea4d1263 order:1 compound_mapcount:0 compound_pincount:0 flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) raw: 000fffffc0010200 ffffea000066c300 dead000000000003 ffff888100042b40 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88802bb36e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88802bb36e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88802bb36f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88802bb36f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88802bb37000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Fixes: 801c135ce73d ("UBI: Unsorted Block Images") Reported-by: syzkaller <syzkaller@googlegroups.com> Signed-off-by: George Kennedy <george.kennedy@oracle.com> --- drivers/mtd/ubi/build.c | 6 ++++++ 1 file changed, 6 insertions(+)
Comments
----- Ursprüngliche Mail ----- > Fixes: 801c135ce73d ("UBI: Unsorted Block Images") > Reported-by: syzkaller <syzkaller@googlegroups.com> > Signed-off-by: George Kennedy <george.kennedy@oracle.com> > --- > drivers/mtd/ubi/build.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c > index a32050fecabf..53aa4de6b963 100644 > --- a/drivers/mtd/ubi/build.c > +++ b/drivers/mtd/ubi/build.c > @@ -663,6 +663,12 @@ static int io_init(struct ubi_device *ubi, int > max_beb_per1024) > ubi->ec_hdr_alsize = ALIGN(UBI_EC_HDR_SIZE, ubi->hdrs_min_io_size); > ubi->vid_hdr_alsize = ALIGN(UBI_VID_HDR_SIZE, ubi->hdrs_min_io_size); > > + if (ubi->vid_hdr_offset && ((ubi->vid_hdr_offset + UBI_VID_HDR_SIZE) > > + ubi->vid_hdr_alsize)) { > + ubi_err(ubi, "VID header offset %d too large.", ubi->vid_hdr_offset); > + return -EINVAL; > + } > + Thanks for fixing this, applied to the fixes branch. That said, something broke whitespaces in your patch, I applied it manually. Context lines before and after contain an extra space and caused both git am and patch to give up. Thanks, //richard
Hello, On Mon, Apr 17, 2023 at 06:01:02PM +0200, Uwe Kleine-König wrote: > On Tue, Nov 15, 2022 at 10:14:44AM -0500, George Kennedy wrote: > > Ensure that the VID header offset + VID header size does not exceed > > the allocated area to avoid slab OOB. > > > > BUG: KASAN: slab-out-of-bounds in crc32_body lib/crc32.c:111 [inline] > > BUG: KASAN: slab-out-of-bounds in crc32_le_generic lib/crc32.c:179 [inline] > > BUG: KASAN: slab-out-of-bounds in crc32_le_base+0x58c/0x626 lib/crc32.c:197 > > Read of size 4 at addr ffff88802bb36f00 by task syz-executor136/1555 > > > > CPU: 2 PID: 1555 Comm: syz-executor136 Tainted: G W > > 6.0.0-1868 #1 > > Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7860+a7792d29 > > 04/01/2014 > > Call Trace: > > <TASK> > > __dump_stack lib/dump_stack.c:88 [inline] > > dump_stack_lvl+0x85/0xad lib/dump_stack.c:106 > > print_address_description mm/kasan/report.c:317 [inline] > > print_report.cold.13+0xb6/0x6bb mm/kasan/report.c:433 > > kasan_report+0xa7/0x11b mm/kasan/report.c:495 > > crc32_body lib/crc32.c:111 [inline] > > crc32_le_generic lib/crc32.c:179 [inline] > > crc32_le_base+0x58c/0x626 lib/crc32.c:197 > > ubi_io_write_vid_hdr+0x1b7/0x472 drivers/mtd/ubi/io.c:1067 > > create_vtbl+0x4d5/0x9c4 drivers/mtd/ubi/vtbl.c:317 > > create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline] > > ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812 > > ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601 > > ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965 > > ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043 > > vfs_ioctl fs/ioctl.c:51 [inline] > > __do_sys_ioctl fs/ioctl.c:870 [inline] > > __se_sys_ioctl fs/ioctl.c:856 [inline] > > __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856 > > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > > do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80 > > entry_SYSCALL_64_after_hwframe+0x63/0x0 > > RIP: 0033:0x7f96d5cf753d > > Code: > > RSP: 002b:00007fffd72206f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > > RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f96d5cf753d > > RDX: 0000000020000080 RSI: 0000000040186f40 RDI: 0000000000000003 > > RBP: 0000000000400cd0 R08: 0000000000000000 R09: 0000000000000000 > > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400be0 > > R13: 00007fffd72207e0 R14: 0000000000000000 R15: 0000000000000000 > > </TASK> > > > > Allocated by task 1555: > > kasan_save_stack+0x20/0x3d mm/kasan/common.c:38 > > kasan_set_track mm/kasan/common.c:45 [inline] > > set_alloc_info mm/kasan/common.c:437 [inline] > > ____kasan_kmalloc mm/kasan/common.c:516 [inline] > > __kasan_kmalloc+0x88/0xa3 mm/kasan/common.c:525 > > kasan_kmalloc include/linux/kasan.h:234 [inline] > > __kmalloc+0x138/0x257 mm/slub.c:4429 > > kmalloc include/linux/slab.h:605 [inline] > > ubi_alloc_vid_buf drivers/mtd/ubi/ubi.h:1093 [inline] > > create_vtbl+0xcc/0x9c4 drivers/mtd/ubi/vtbl.c:295 > > create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline] > > ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812 > > ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601 > > ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965 > > ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043 > > vfs_ioctl fs/ioctl.c:51 [inline] > > __do_sys_ioctl fs/ioctl.c:870 [inline] > > __se_sys_ioctl fs/ioctl.c:856 [inline] > > __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856 > > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > > do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80 > > entry_SYSCALL_64_after_hwframe+0x63/0x0 > > > > The buggy address belongs to the object at ffff88802bb36e00 > > which belongs to the cache kmalloc-256 of size 256 > > The buggy address is located 0 bytes to the right of > > 256-byte region [ffff88802bb36e00, ffff88802bb36f00) > > > > The buggy address belongs to the physical page: > > page:00000000ea4d1263 refcount:1 mapcount:0 mapping:0000000000000000 > > index:0x0 pfn:0x2bb36 > > head:00000000ea4d1263 order:1 compound_mapcount:0 compound_pincount:0 > > flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) > > raw: 000fffffc0010200 ffffea000066c300 dead000000000003 ffff888100042b40 > > raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 > > page dumped because: kasan: bad access detected > > > > Memory state around the buggy address: > > ffff88802bb36e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > ffff88802bb36e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > > ffff88802bb36f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > ^ > > ffff88802bb36f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > ffff88802bb37000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > > ================================================================== > > > > Fixes: 801c135ce73d ("UBI: Unsorted Block Images") > > Reported-by: syzkaller <syzkaller@googlegroups.com> > > Signed-off-by: George Kennedy <george.kennedy@oracle.com> > > --- > > drivers/mtd/ubi/build.c | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c > > index a32050fecabf..53aa4de6b963 100644 > > --- a/drivers/mtd/ubi/build.c > > +++ b/drivers/mtd/ubi/build.c > > @@ -663,6 +663,12 @@ static int io_init(struct ubi_device *ubi, int max_beb_per1024) > > ubi->ec_hdr_alsize = ALIGN(UBI_EC_HDR_SIZE, ubi->hdrs_min_io_size); > > ubi->vid_hdr_alsize = ALIGN(UBI_VID_HDR_SIZE, ubi->hdrs_min_io_size); > > + if (ubi->vid_hdr_offset && ((ubi->vid_hdr_offset + UBI_VID_HDR_SIZE) > > > + ubi->vid_hdr_alsize)) { > > + ubi_err(ubi, "VID header offset %d too large.", ubi->vid_hdr_offset); > > + return -EINVAL; > > + } > > + > > This patch is in mainline as 1b42b1a36fc946f0d7088425b90d491b4257ca3e, > and backported to various stable releases. > > For me this breaks > > ubiattach -m 0 -O 2048 > > I think the check > > ubi->vid_hdr_offset + UBI_VID_HDR_SIZE > ubi->vid_hdr_alsize > > is wrong. Without -O passed to ubiattach (and dynamic debug enabled) I > get: > > [ 5294.936762] UBI DBG gen (pid 9619): sizeof(struct ubi_ainf_peb) 56 > [ 5294.936769] UBI DBG gen (pid 9619): sizeof(struct ubi_wl_entry) 32 > [ 5294.936774] UBI DBG gen (pid 9619): min_io_size 2048 > [ 5294.936779] UBI DBG gen (pid 9619): max_write_size 2048 > [ 5294.936783] UBI DBG gen (pid 9619): hdrs_min_io_size 512 > [ 5294.936787] UBI DBG gen (pid 9619): ec_hdr_alsize 512 > [ 5294.936791] UBI DBG gen (pid 9619): vid_hdr_alsize 512 > [ 5294.936796] UBI DBG gen (pid 9619): vid_hdr_offset 512 > [ 5294.936800] UBI DBG gen (pid 9619): vid_hdr_aloffset 512 > [ 5294.936804] UBI DBG gen (pid 9619): vid_hdr_shift 0 > [ 5294.936808] UBI DBG gen (pid 9619): leb_start 2048 > [ 5294.936812] UBI DBG gen (pid 9619): max_erroneous 409 > > So the check would only pass for vid_hdr_offset <= 512 - > UBI_VID_HDR_SIZE; note that even specifying the default value 512 (i.e. > > ubiattach -m 0 -O 512 > > ) fails the check. > > A less strong check would be: > > diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c > index 0904eb40c95f..69c28a862430 100644 > --- a/drivers/mtd/ubi/build.c > +++ b/drivers/mtd/ubi/build.c > @@ -666,8 +666,8 @@ static int io_init(struct ubi_device *ubi, int max_beb_per1024) > ubi->ec_hdr_alsize = ALIGN(UBI_EC_HDR_SIZE, ubi->hdrs_min_io_size); > ubi->vid_hdr_alsize = ALIGN(UBI_VID_HDR_SIZE, ubi->hdrs_min_io_size); > > - if (ubi->vid_hdr_offset && ((ubi->vid_hdr_offset + UBI_VID_HDR_SIZE) > > - ubi->vid_hdr_alsize)) { > + if (ubi->vid_hdr_offset && > + ubi->vid_hdr_offset + UBI_VID_HDR_SIZE > ubi->peb_size) { > ubi_err(ubi, "VID header offset %d too large.", ubi->vid_hdr_offset); > return -EINVAL; > } > > But I'm unsure if this would be too lax?! I just learned in irc that 1e020e1b96af ("ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size") is supposed to fix that. Best regards Uwe
diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c index a32050fecabf..53aa4de6b963 100644 --- a/drivers/mtd/ubi/build.c +++ b/drivers/mtd/ubi/build.c @@ -663,6 +663,12 @@ static int io_init(struct ubi_device *ubi, int max_beb_per1024) ubi->ec_hdr_alsize = ALIGN(UBI_EC_HDR_SIZE, ubi->hdrs_min_io_size); ubi->vid_hdr_alsize = ALIGN(UBI_VID_HDR_SIZE, ubi->hdrs_min_io_size); + if (ubi->vid_hdr_offset && ((ubi->vid_hdr_offset + UBI_VID_HDR_SIZE) > + ubi->vid_hdr_alsize)) { + ubi_err(ubi, "VID header offset %d too large.", ubi->vid_hdr_offset); + return -EINVAL; + } + dbg_gen("min_io_size %d", ubi->min_io_size); dbg_gen("max_write_size %d", ubi->max_write_size); dbg_gen("hdrs_min_io_size %d", ubi->hdrs_min_io_size);