Message ID | 20241125132354.16188-1-arefev@swemel.ru |
---|---|
State | New |
Headers | show |
Series | mtd: ubi: Added a check for ubi_num | expand |
在 2024/11/25 21:23, Denis Arefev 写道: > Added a check for ubi_num for negative numbers > If the variable ubi_num takes negative values then we get: > > qemu-system-arm ... -append "ubi.mtd=0,0,0,-22222345" ... > [ 0.745065] ubi_attach_mtd_dev from ubi_init+0x178/0x218 > [ 0.745230] ubi_init from do_one_initcall+0x70/0x1ac > [ 0.745344] do_one_initcall from kernel_init_freeable+0x198/0x224 > [ 0.745474] kernel_init_freeable from kernel_init+0x18/0x134 > [ 0.745600] kernel_init from ret_from_fork+0x14/0x28 > [ 0.745727] Exception stack(0x90015fb0 to 0x90015ff8) > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 897a316c9e6f ("UBI: handle attach ioctl") Hi Denis, I think the problem is imported by 83ff59a066637a6c28844bbf43009459408240f4("UBI: support ubi_num on mtd.ubi command line"). > Signed-off-by: Denis Arefev <arefev@swemel.ru> > --- > drivers/mtd/ubi/build.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c > index 30be4ed68fad..dae569f48b87 100644 > --- a/drivers/mtd/ubi/build.c > +++ b/drivers/mtd/ubi/build.c > @@ -920,7 +920,7 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num, > return -ENFILE; > } > } else { > - if (ubi_num >= UBI_MAX_DEVICES) > + if (ubi_num < UBI_DEV_NUM_AUTO || ubi_num >= UBI_MAX_DEVICES) > return -EINVAL; The ioctl(UBI_IOCATT) already checks the 'ubi_num', so I prefer to add the missing check in ubi_mtd_param_parse(). > > /* Make sure ubi_num is not busy */ >
diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c index 30be4ed68fad..dae569f48b87 100644 --- a/drivers/mtd/ubi/build.c +++ b/drivers/mtd/ubi/build.c @@ -920,7 +920,7 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num, return -ENFILE; } } else { - if (ubi_num >= UBI_MAX_DEVICES) + if (ubi_num < UBI_DEV_NUM_AUTO || ubi_num >= UBI_MAX_DEVICES) return -EINVAL; /* Make sure ubi_num is not busy */
Added a check for ubi_num for negative numbers If the variable ubi_num takes negative values then we get: qemu-system-arm ... -append "ubi.mtd=0,0,0,-22222345" ... [ 0.745065] ubi_attach_mtd_dev from ubi_init+0x178/0x218 [ 0.745230] ubi_init from do_one_initcall+0x70/0x1ac [ 0.745344] do_one_initcall from kernel_init_freeable+0x198/0x224 [ 0.745474] kernel_init_freeable from kernel_init+0x18/0x134 [ 0.745600] kernel_init from ret_from_fork+0x14/0x28 [ 0.745727] Exception stack(0x90015fb0 to 0x90015ff8) Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 897a316c9e6f ("UBI: handle attach ioctl") Signed-off-by: Denis Arefev <arefev@swemel.ru> --- drivers/mtd/ubi/build.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)