Commit c2ffa098 authored by Brian Norris's avatar Brian Norris Committed by Sasha Levin

UBI: fix out of bounds write

[ Upstream commit d74adbdb ]

If aeb->len >= vol->reserved_pebs, we should not be writing aeb into the
PEB->LEB mapping.

Caught by Coverity, CID #711212.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
parent cdf5f443
...@@ -1361,6 +1361,7 @@ int ubi_eba_init(struct ubi_device *ubi, struct ubi_attach_info *ai) ...@@ -1361,6 +1361,7 @@ int ubi_eba_init(struct ubi_device *ubi, struct ubi_attach_info *ai)
* during re-size. * during re-size.
*/ */
ubi_move_aeb_to_list(av, aeb, &ai->erase); ubi_move_aeb_to_list(av, aeb, &ai->erase);
else
vol->eba_tbl[aeb->lnum] = aeb->pnum; vol->eba_tbl[aeb->lnum] = aeb->pnum;
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment