1. Patchew
  2. linux
  3. View series

[PATCH] mtd: ubi: Added a check for ubi_num

Denis Arefev posted 1 patch 1 year, 2 months ago
There is a newer version of this series
drivers/mtd/ubi/build.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] mtd: ubi: Added a check for ubi_num
Posted by Denis Arefev 1 year, 2 months ago 
Added a check for ubi_num for negative numbers
If the variable ubi_num takes negative values then we get:

qemu-system-arm ... -append "ubi.mtd=0,0,0,-22222345" ...
[    0.745065]  ubi_attach_mtd_dev from ubi_init+0x178/0x218
[    0.745230]  ubi_init from do_one_initcall+0x70/0x1ac
[    0.745344]  do_one_initcall from kernel_init_freeable+0x198/0x224
[    0.745474]  kernel_init_freeable from kernel_init+0x18/0x134
[    0.745600]  kernel_init from ret_from_fork+0x14/0x28
[    0.745727] Exception stack(0x90015fb0 to 0x90015ff8)

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 897a316c9e6f ("UBI: handle attach ioctl")
Signed-off-by: Denis Arefev <arefev@swemel.ru>
---
 drivers/mtd/ubi/build.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
index 30be4ed68fad..dae569f48b87 100644
--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
@@ -920,7 +920,7 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num,
 			return -ENFILE;
 		}
 	} else {
-		if (ubi_num >= UBI_MAX_DEVICES)
+		if (ubi_num < UBI_DEV_NUM_AUTO || ubi_num >= UBI_MAX_DEVICES)
 			return -EINVAL;
 
 		/* Make sure ubi_num is not busy */
-- 
2.25.1
Re: [PATCH] mtd: ubi: Added a check for ubi_num
Posted by Zhihao Cheng 1 year, 2 months ago 
在 2024/11/25 21:23, Denis Arefev 写道:
> Added a check for ubi_num for negative numbers
> If the variable ubi_num takes negative values then we get:
> 
> qemu-system-arm ... -append "ubi.mtd=0,0,0,-22222345" ...
> [    0.745065]  ubi_attach_mtd_dev from ubi_init+0x178/0x218
> [    0.745230]  ubi_init from do_one_initcall+0x70/0x1ac
> [    0.745344]  do_one_initcall from kernel_init_freeable+0x198/0x224
> [    0.745474]  kernel_init_freeable from kernel_init+0x18/0x134
> [    0.745600]  kernel_init from ret_from_fork+0x14/0x28
> [    0.745727] Exception stack(0x90015fb0 to 0x90015ff8)
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 897a316c9e6f ("UBI: handle attach ioctl")

Hi Denis,
I think the problem is imported by 
83ff59a066637a6c28844bbf43009459408240f4("UBI: support ubi_num on 
mtd.ubi command line").
> Signed-off-by: Denis Arefev <arefev@swemel.ru>
> ---
>   drivers/mtd/ubi/build.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
> index 30be4ed68fad..dae569f48b87 100644
> --- a/drivers/mtd/ubi/build.c
> +++ b/drivers/mtd/ubi/build.c
> @@ -920,7 +920,7 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num,
>   			return -ENFILE;
>   		}
>   	} else {
> -		if (ubi_num >= UBI_MAX_DEVICES)
> +		if (ubi_num < UBI_DEV_NUM_AUTO || ubi_num >= UBI_MAX_DEVICES)
>   			return -EINVAL;

The ioctl(UBI_IOCATT) already checks the 'ubi_num', so I prefer to add 
the missing check in ubi_mtd_param_parse().
>   
>   		/* Make sure ubi_num is not busy */
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.