ubifs: Limit dumping length by size of memory which is allocated for the node
mainline inclusion from mainline-v5.11-rc1 commit c4c0d19d category: bugfix bugzilla: 182885 https://gitee.com/openeuler/kernel/issues/I4DDEL Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c4c0d19d39d26c5f58633f8fcca75f03b2854fc0 ----------------------------------------------- To prevent memory out-of-bounds accessing in ubifs_dump_node(), actual dumping length should be restricted by another condition(size of memory which is allocated for the node). This patch handles following situations (These situations may be caused by bit flipping due to hardware error, writing bypass ubifs, unknown bugs in ubifs, etc.): 1. bad node_len: Dumping data according to 'ch->len' which may exceed the size of memory allocated for node. 2. bad node content: Some kinds of node can record additional data, eg. index node and orphan node, make sure the size of additional data not beyond the node length. 3. node_type changes: Read data according to type A, but expected type B, before that, node is allocated according to type B's size. Length of type A node is greater than type B node. Signed-off-by:Zhihao Cheng <chengzhihao1@huawei.com> Signed-off-by:
Loading
Please sign in to comment