Sasha, Am Freitag, 5. Oktober 2018, 18:17:50 CEST schrieb Sasha Levin: > From: Richard Weinberger <richard@xxxxxx> > > [ Upstream commit 37f31b6ca4311b94d985fb398a72e5399ad57925 ] > > The requested device name can be NULL or an empty string. > Check for that and refuse to continue. UBIFS has to do this manually > since we cannot use mount_bdev(), which checks for this condition. > > Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system") > Reported-by: syzbot+38bd0f7865e5c6379280@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Richard Weinberger <richard@xxxxxx> > Signed-off-by: Sasha Levin <alexander.levin@xxxxxxxxxxxxx> I'm not sure whether it makes sense to apply this patch to stable. 1. You need to be the real root to hit this code path. 2. Access is read-only, for an attacker it is useless. If we look at the code: if (name[0] != 'u' || name[1] != 'b' || name[2] != 'i') return ERR_PTR(-EINVAL); /* ubi:NAME method */ if ((name[3] == ':' || name[3] == '!') && name[4] != '\0') name can be NULL, so we access just a few bytes. Thanks, //richard