[thirdparty/kernel/stable-queue.git] / releases / 3.18.114 / ubifs-fix-potential-integer-overflow-in-allocation.patch

From 353748a359f1821ee934afc579cf04572406b420 Mon Sep 17 00:00:00 2001
From: Silvio Cesare <silvio.cesare@gmail.com>
Date: Fri, 4 May 2018 13:44:02 +1000
Subject: UBIFS: Fix potential integer overflow in allocation

From: Silvio Cesare <silvio.cesare@gmail.com>

commit 353748a359f1821ee934afc579cf04572406b420 upstream.

There is potential for the size and len fields in ubifs_data_node to be
too large causing either a negative value for the length fields or an
integer overflow leading to an incorrect memory allocation. Likewise,
when the len field is small, an integer underflow may occur.

Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ubifs/journal.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ubifs/journal.c
+++ b/fs/ubifs/journal.c
@@ -1101,7 +1101,7 @@ static int recomp_data_node(struct ubifs
 	int err, len, compr_type, out_len;
 
 	out_len = le32_to_cpu(dn->size);
-	buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS);
+	buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS);
 	if (!buf)
 		return -ENOMEM;
Commit	Line	Data
0ea29e54 GKH	1	From 353748a359f1821ee934afc579cf04572406b420 Mon Sep 17 00:00:00 2001
	2	From: Silvio Cesare <silvio.cesare@gmail.com>
	3	Date: Fri, 4 May 2018 13:44:02 +1000
	4	Subject: UBIFS: Fix potential integer overflow in allocation
	5
	6	From: Silvio Cesare <silvio.cesare@gmail.com>
	7
	8	commit 353748a359f1821ee934afc579cf04572406b420 upstream.
	9
	10	There is potential for the size and len fields in ubifs_data_node to be
	11	too large causing either a negative value for the length fields or an
	12	integer overflow leading to an incorrect memory allocation. Likewise,
	13	when the len field is small, an integer underflow may occur.
	14
	15	Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
	16	Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
	17	Cc: stable@vger.kernel.org
	18	Signed-off-by: Kees Cook <keescook@chromium.org>
	19	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	20
	21	---
	22	fs/ubifs/journal.c \| 2 +-
	23	1 file changed, 1 insertion(+), 1 deletion(-)
	24
	25	--- a/fs/ubifs/journal.c
	26	+++ b/fs/ubifs/journal.c
	27	@@ -1101,7 +1101,7 @@ static int recomp_data_node(struct ubifs
	28	int err, len, compr_type, out_len;
	29
	30	out_len = le32_to_cpu(dn->size);
	31	- buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS);
	32	+ buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS);
	33	if (!buf)
	34	return -ENOMEM;
	35