On Fri, Oct 05, 2018 at 06:24:42PM +0200, Richard Weinberger wrote:
Sasha,
Am Freitag, 5. Oktober 2018, 18:17:50 CEST schrieb Sasha Levin:
From: Richard Weinberger richard@nod.at
[ Upstream commit 37f31b6ca4311b94d985fb398a72e5399ad57925 ]
The requested device name can be NULL or an empty string. Check for that and refuse to continue. UBIFS has to do this manually since we cannot use mount_bdev(), which checks for this condition.
Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system") Reported-by: syzbot+38bd0f7865e5c6379280@syzkaller.appspotmail.com Signed-off-by: Richard Weinberger richard@nod.at Signed-off-by: Sasha Levin alexander.levin@microsoft.com
I'm not sure whether it makes sense to apply this patch to stable.
- You need to be the real root to hit this code path.
- Access is read-only, for an attacker it is useless.
If we look at the code: if (name[0] != 'u' || name[1] != 'b' || name[2] != 'i') return ERR_PTR(-EINVAL);
/* ubi:NAME method */ if ((name[3] == ':' || name[3] == '!') && name[4] != '\0')name can be NULL, so we access just a few bytes.
Thanks, //richard
Hi Richard,
I wasn't really looking at it from a security perspective. My thought process was that if a user (root or not) is doing action A, expecting result B but instead unexpectedly sees result C then it's a bug worth fixing in stable.
If you think it's a risky change for stable I'd be happy to drop it.
-- Thanks, Sasha