diff mbox series

[SRU,OEM-6.1,F/J/L/M,1/1] ubi: Refuse attaching if mtd's erasesize is 0

Message ID 20231026153508.6845-2-yuxuan.luo@canonical.com
State New
Headers show
Series CVE-2023-31085 | expand

Commit Message

Yuxuan Luo Oct. 26, 2023, 3:35 p.m. UTC 
From: Zhihao Cheng <chengzhihao1@huawei.com>

There exists mtd devices with zero erasesize, which will trigger a
divide-by-zero exception while attaching ubi device.
Fix it by refusing attaching if mtd's erasesize is 0.

Fixes: 801c135ce73d ("UBI: Unsorted Block Images")
Reported-by: Yu Hao <yhao016@ucr.edu>
Link: https://lore.kernel.org/lkml/977347543.226888.1682011999468.JavaMail.zimbra@nod.at/T/
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
(cherry picked from commit 017c73a34a661a861712f7cc1393a123e5b2208c)
CVE-2023-31085
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 drivers/mtd/ubi/build.c | 7 +++++++
 1 file changed, 7 insertions(+)
diff mbox series

Patch

diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
index f29ed9102ce91..a7169b0d5ba65 100644
--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
@@ -865,6 +865,13 @@  int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num,
 		return -EINVAL;
 	}
 
+	/* UBI cannot work on flashes with zero erasesize. */
+	if (!mtd->erasesize) {
+		pr_err("ubi: refuse attaching mtd%d - zero erasesize flash is not supported\n",
+			mtd->index);
+		return -EINVAL;
+	}
+
 	if (ubi_num == UBI_DEV_NUM_AUTO) {
 		/* Search for an empty slot in the @ubi_devices array */
 		for (ubi_num = 0; ubi_num < UBI_MAX_DEVICES; ubi_num++)