From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mail.tricorecenter.de ([217.6.246.34] helo=root.phytec.de) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1b6CTP-0004yH-K9 for barebox@lists.infradead.org; Fri, 27 May 2016 07:46:27 +0000 Received: from idefix.phytec.de (idefix.phytec.de [172.16.0.10]) by root.phytec.de (Postfix) with ESMTP id 1136DA00AEB for ; Fri, 27 May 2016 09:46:39 +0200 (CEST) From: Teresa Remmet Date: Fri, 27 May 2016 09:44:10 +0200 Message-Id: <1464335095-35180-18-git-send-email-t.remmet@phytec.de> In-Reply-To: <1464335095-35180-1-git-send-email-t.remmet@phytec.de> References: <1464335095-35180-1-git-send-email-t.remmet@phytec.de> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "barebox" Errors-To: barebox-bounces+u.kleine-koenig=pengutronix.de@lists.infradead.org Subject: [PATCH v2 17/62] UBI: fix out of bounds write To: barebox@lists.infradead.org From: Brian Norris If aeb->len >= vol->reserved_pebs, we should not be writing aeb into the PEB->LEB mapping. Caught by Coverity, CID #711212. Cc: stable Signed-off-by: Brian Norris Signed-off-by: Richard Weinberger Signed-off-by: Teresa Remmet --- drivers/mtd/ubi/eba.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c index 1dbf126..bb89d10 100644 --- a/drivers/mtd/ubi/eba.c +++ b/drivers/mtd/ubi/eba.c @@ -1306,7 +1306,8 @@ int ubi_eba_init(struct ubi_device *ubi, struct ubi_attach_info *ai) * during re-size. */ ubi_move_aeb_to_list(av, aeb, &ai->erase); - vol->eba_tbl[aeb->lnum] = aeb->pnum; + else + vol->eba_tbl[aeb->lnum] = aeb->pnum; } } -- 1.9.1 _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox