From patchwork Fri Aug 21 22:43:15 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Victor Gallardo <vgallardo@amcc.com>
X-Patchwork-Id: 31853
Return-Path: 
 <linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org>
X-Original-To: patchwork-incoming@bilbo.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from ozlabs.org (ozlabs.org [203.10.76.45])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "mx.ozlabs.org",
	Issuer "CA Cert Signing Authority" (verified OK))
	by bilbo.ozlabs.org (Postfix) with ESMTPS id A8FC0B7B81
	for <patchwork-incoming@bilbo.ozlabs.org>;
	Sat, 22 Aug 2009 08:43:46 +1000 (EST)
Received: by ozlabs.org (Postfix)
	id 9638BDDD0B; Sat, 22 Aug 2009 08:43:46 +1000 (EST)
Delivered-To: patchwork-incoming@ozlabs.org
Received: from bilbo.ozlabs.org (bilbo.ozlabs.org [203.10.76.25])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "bilbo.ozlabs.org",
	Issuer "CAcert Class 3 Root" (verified OK))
	by ozlabs.org (Postfix) with ESMTPS id 94CA0DDD01
	for <patchwork-incoming@ozlabs.org>;
	Sat, 22 Aug 2009 08:43:46 +1000 (EST)
Received: from bilbo.ozlabs.org (localhost [127.0.0.1])
	by bilbo.ozlabs.org (Postfix) with ESMTP id 3D769B7E28
	for <patchwork-incoming@ozlabs.org>;
	Sat, 22 Aug 2009 08:43:27 +1000 (EST)
Received: from ozlabs.org (ozlabs.org [203.10.76.45])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "mx.ozlabs.org",
	Issuer "CA Cert Signing Authority" (verified OK))
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 2FD96B7B7E
	for <linuxppc-dev@lists.ozlabs.org>;
	Sat, 22 Aug 2009 08:43:20 +1000 (EST)
Received: by ozlabs.org (Postfix)
	id 1DB73DDD0B; Sat, 22 Aug 2009 08:43:20 +1000 (EST)
Delivered-To: linuxppc-dev@ozlabs.org
Received: from sdcmail02.amcc.com (sdcmail02.amcc.com [198.137.200.90])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client CN "Messaging Gateway Appliance Demo Cert",
	Issuer "Messaging Gateway Appliance Demo Cert" (not verified))
	by ozlabs.org (Postfix) with ESMTPS id 8D9D7DDD01
	for <linuxppc-dev@ozlabs.org>; Sat, 22 Aug 2009 08:43:19 +1000 (EST)
X-IronPort-AV: E=Sophos;i="4.44,252,1249282800"; d="scan'208";a="6236551"
Received: from sdcexch01.amcc.com (HELO sdcexchange01.amcc.com)
	([10.64.18.50])
	by sdcmail02-int1.amcc.com with ESMTP; 21 Aug 2009 15:43:15 -0700
Received: from amcc.com ([10.66.12.74]) by sdcexchange01.amcc.com with
	Microsoft SMTPSVC(6.0.3790.3959); Fri, 21 Aug 2009 15:43:15 -0700
Received: (from vgallard@localhost)
	by amcc.com (8.13.8/8.12.2/Submit) id n7LMhFXj021073;
	Fri, 21 Aug 2009 15:43:15 -0700
From: Victor Gallardo <vgallardo@amcc.com>
To: linux-mtd@lists.infradead.org
Subject: [PATCH] [JFFS2] Fix csize integer overflow issue due to truncation
Date: Fri, 21 Aug 2009 15:43:15 -0700
Message-Id: <1250894595-21052-1-git-send-email-vgallardo@amcc.com>
X-Mailer: git-send-email 1.5.5
X-OriginalArrivalTime: 21 Aug 2009 22:43:15.0807 (UTC)
	FILETIME=[C596E6F0:01CA22B0]
Cc: Prodyut Hazarika <phazarika@amcc.com>, linuxppc-dev@ozlabs.org,
	Victor Gallardo <vgallardo@amcc.com>, Feng Kan <fkan@amcc.com>
X-BeenThere: linuxppc-dev@lists.ozlabs.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Linux on PowerPC Developers Mail List
	<linuxppc-dev.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/linuxppc-dev>,
	<mailto:linuxppc-dev-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/linuxppc-dev>
List-Post: <mailto:linuxppc-dev@lists.ozlabs.org>
List-Help: <mailto:linuxppc-dev-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/linuxppc-dev>,
	<mailto:linuxppc-dev-request@lists.ozlabs.org?subject=subscribe>
MIME-Version: 1.0
Sender: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org
Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org

This fixes a kernel BUG_ON(tn->size == 0) panic in check_node_data
due to integer overflow in read_dnone().

The code incorrectly assigns a uin32_t local variable (csize) to
uint16_t structure member in jffs2_tmp_dnode_info. This results
in an overflow when the local variable csize is greater than
65536 (0x10000)

This issue is seen when kernel PAGE_SIZE is 64K.

The following example illustrates the issue:

fs/jffs2/nodelist.h
  struct jffs2_tmp_dnode_info
  {
    ...
    uint16_t csize;
    ...
  };

fs/jffs2/readinode.c
  static inline int read_dnode(...)
  {
    struct jffs2_tmp_dnode_info *tn;
    uint32_t len, csize;
    ...
    csize = je32_to_cpu(rd->csize);
    ...
    tn->csize = csize;  // <=== result truncated if > 0x10000
    ...
  }

  static int check_node_data(...)
  {
    ...
    BUG_ON(tn->csize == 0);
    ...
  }

Signed-off-by: Victor Gallardo <vgallardo@amcc.com>
Acked-by: Prodyut Hazarika <phazarika@amcc.com>
Acked-by: Feng Kan <fkan@amcc.com>
---
 fs/jffs2/nodelist.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/fs/jffs2/nodelist.h b/fs/jffs2/nodelist.h
index 507ed6e..67f36c3 100644
--- a/fs/jffs2/nodelist.h
+++ b/fs/jffs2/nodelist.h
@@ -231,7 +231,7 @@ struct jffs2_tmp_dnode_info
 	uint32_t version;
 	uint32_t data_crc;
 	uint32_t partial_crc;
-	uint16_t csize;
+	uint32_t csize;
 	uint16_t overlapped;
 };