Re: [PATCH] jffs2: Fix integer underflow in jffs2_rtime_compress

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Donnerstag, 20. Dezember 2018, 11:43:08 CET schrieb Hou Tao:
> 
> On 2018/12/16 0:23, Richard Weinberger wrote:
> > The rtime compressor assumes that at least two bytes are
> > compressed.
> > If we try to compress just one byte, the loop condition will
> > wrap around and an out-of-bounds write happens.
> > 
> > Cc: <stable@xxxxxxxxxxxxxxx>
> > Signed-off-by: Richard Weinberger <richard@xxxxxx>
> > ---
> >  fs/jffs2/compr_rtime.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > It seems that it doesn't incur any harm because the minimal allocated
> size will be 8-bytes and jffs2_rtime_compress() will write 2-bytes into
> the allocated buffer.

Are you sure about that? I saw odd kernel behavior and KASAN complained too.

Thanks,
//richard





[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux