Revert "ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len"

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This reverts commit acc5af3efa30 ("ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len")

No need to avoid memory oob in dumping for data node alone. Later, node
length will be passed into function 'ubifs_dump_node()' which replaces
all node dumping places.

Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>

authored by

Zhihao Cheng and committed by

Richard Weinberger 5 years ago c8be0975 c4c0d19d

+2 -14

1 changed file

expand all

ubifs

io.c

+2 -14

fs/ubifs/io.c

··· 225 225 int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum, 226 226 int offs, int quiet, int must_chk_crc) 227 227 { 228 - int err = -EINVAL, type, node_len, dump_node = 1; 228 + int err = -EINVAL, type, node_len; 229 229 uint32_t crc, node_crc, magic; 230 230 const struct ubifs_ch *ch = buf; 231 231 ··· 278 278 out_len: 279 279 if (!quiet) 280 280 ubifs_err(c, "bad node length %d", node_len); 281 - if (type == UBIFS_DATA_NODE && node_len > UBIFS_DATA_NODE_SZ) 282 - dump_node = 0; 283 281 out: 284 282 if (!quiet) { 285 283 ubifs_err(c, "bad node at LEB %d:%d", lnum, offs); 286 - if (dump_node) { 287 - ubifs_dump_node(c, buf); 288 - } else { 289 - int safe_len = min3(node_len, c->leb_size - offs, 290 - (int)UBIFS_MAX_DATA_NODE_SZ); 291 - pr_err("\tprevent out-of-bounds memory access\n"); 292 - pr_err("\ttruncated data node length %d\n", safe_len); 293 - pr_err("\tcorrupted data node:\n"); 294 - print_hex_dump(KERN_ERR, "\t", DUMP_PREFIX_OFFSET, 32, 1, 295 - buf, safe_len, 0); 296 - } 284 + ubifs_dump_node(c, buf); 297 285 dump_stack(); 298 286 } 299 287 return err;