Re: [PATCH] jffs2: add additinal sanity check for jffs2_acl_from_medium()

[Richard Weinberger <richard.weinberger@xxxxxxxxx>]

On Sun, Sep 2, 2018 at 5:45 PM Chengguang Xu <cgxu519@xxxxxxx> wrote:
>
> In the case ACL_USER and ACL_GROUP we check if value has exceeded end,
> add same check in the case ACL_OTHER as well.

Did you hit a problem in that area or was this found by review?
>From looking at the code I'd say it is fine as is.
In the ACL_MASK/_OTHER case we don't look into the entry object like
ACL_USER/_GROUP
do, we immediately break the switch and run another round in the for loop.
And here we do:
                entry = value;
                if (value + sizeof(struct jffs2_acl_entry_short) > end)
                        goto fail;

Which is what your additional check does. So, we'd check twice.
What do I miss?

> Signed-off-by: Chengguang Xu <cgxu519@xxxxxxx>
> ---
>  fs/jffs2/acl.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/fs/jffs2/acl.c b/fs/jffs2/acl.c
> index 093ffbd82395..fce32de3a18f 100644
> --- a/fs/jffs2/acl.c
> +++ b/fs/jffs2/acl.c
> @@ -94,6 +94,8 @@ static struct posix_acl *jffs2_acl_from_medium(void *value, size_t size)
>                         case ACL_MASK:
>                         case ACL_OTHER:
>                                 value += sizeof(struct jffs2_acl_entry_short);
> +                               if (value > end)
> +                                       goto fail;
>                                 break;
>
>                         case ACL_USER:
> --
> 2.17.1
>
>
> ______________________________________________________
> Linux MTD discussion mailing list
> http://lists.infradead.org/mailman/listinfo/linux-mtd/



-- 
Thanks,
//richard

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/