git.openpandora.org
/
pandora-kernel.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
ubi: Fix out of bounds write in volume update code
[pandora-kernel.git]
/
drivers
/
mtd
/
ubi
/
upd.c
diff --git
a/drivers/mtd/ubi/upd.c
b/drivers/mtd/ubi/upd.c
index
425bf5a
..
d1802b0
100644
(file)
--- a/
drivers/mtd/ubi/upd.c
+++ b/
drivers/mtd/ubi/upd.c
@@
-135,6
+135,10
@@
int ubi_start_update(struct ubi_device *ubi, struct ubi_volume *vol,
ubi_assert(!vol->updating && !vol->changing_leb);
vol->updating = 1;
ubi_assert(!vol->updating && !vol->changing_leb);
vol->updating = 1;
+ vol->upd_buf = vmalloc(ubi->leb_size);
+ if (!vol->upd_buf)
+ return -ENOMEM;
+
err = set_update_marker(ubi, vol);
if (err)
return err;
err = set_update_marker(ubi, vol);
if (err)
return err;
@@
-154,14
+158,12
@@
int ubi_start_update(struct ubi_device *ubi, struct ubi_volume *vol,
err = clear_update_marker(ubi, vol, 0);
if (err)
return err;
err = clear_update_marker(ubi, vol, 0);
if (err)
return err;
+
+ vfree(vol->upd_buf);
vol->updating = 0;
return 0;
}
vol->updating = 0;
return 0;
}
- vol->upd_buf = vmalloc(ubi->leb_size);
- if (!vol->upd_buf)
- return -ENOMEM;
-
vol->upd_ebs = div_u64(bytes + vol->usable_leb_size - 1,
vol->usable_leb_size);
vol->upd_bytes = bytes;
vol->upd_ebs = div_u64(bytes + vol->usable_leb_size - 1,
vol->usable_leb_size);
vol->upd_bytes = bytes;
@@
-195,7
+197,7
@@
int ubi_start_leb_change(struct ubi_device *ubi, struct ubi_volume *vol,
vol->ch_lnum = req->lnum;
vol->ch_dtype = req->dtype;
vol->ch_lnum = req->lnum;
vol->ch_dtype = req->dtype;
- vol->upd_buf = vmalloc(
req->bytes
);
+ vol->upd_buf = vmalloc(
ALIGN((int)req->bytes, ubi->min_io_size)
);
if (!vol->upd_buf)
return -ENOMEM;
if (!vol->upd_buf)
return -ENOMEM;