domenico/openwrt_NSS_ACW
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

kernel: fix possible mtd NULL pointer dereference

Browse Source 
Fixes: 1a9ee36734 ("kernel: backport mtd dynamic partition patch")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This commit is contained in:
Rafał Miłecki
2022-10-04 12:04:37 +02:00
parent 45109f69a6
commit a5265497a4
7 changed files with 65 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
target/linux/generic/backport-5.10/415-v6.0-mtd-core-check-partition-before-dereference.patch Normal file
View File

@@ -0,0 +1,30 @@
From 7ec4cdb321738d44ae5d405e7b6ac73dfbf99caa Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Mon, 25 Jul 2022 22:49:25 +0900
Subject: [PATCH] mtd: core: check partition before dereference
syzbot is reporting NULL pointer dereference at mtd_check_of_node() [1],
for mtdram test device (CONFIG_MTD_MTDRAM) is not partition.
Link: https://syzkaller.appspot.com/bug?extid=fe013f55a2814a9e8cfd [1]
Reported-by: syzbot <syzbot+fe013f55a2814a9e8cfd@syzkaller.appspotmail.com>
Reported-by: kernel test robot <oliver.sang@intel.com>
Fixes: ad9b10d1eaada169 ("mtd: core: introduce of support for dynamic partitions")
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
CC: stable@vger.kernel.org
Signed-off-by: Richard Weinberger <richard@nod.at>
---
drivers/mtd/mtdcore.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/mtd/mtdcore.c
+++ b/drivers/mtd/mtdcore.c
@@ -574,6 +574,8 @@ static void mtd_check_of_node(struct mtd
return;
/* Check if a partitions node exist */
+ if (!mtd_is_partition(mtd))
+ return;
parent = mtd->parent;
parent_dn = dev_of_node(&parent->dev);
if (!parent_dn)

30
target/linux/generic/backport-5.15/404-v6.0-mtd-core-check-partition-before-dereference.patch Normal file
View File

@@ -0,0 +1,30 @@
From 7ec4cdb321738d44ae5d405e7b6ac73dfbf99caa Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Mon, 25 Jul 2022 22:49:25 +0900
Subject: [PATCH] mtd: core: check partition before dereference
syzbot is reporting NULL pointer dereference at mtd_check_of_node() [1],
for mtdram test device (CONFIG_MTD_MTDRAM) is not partition.
Link: https://syzkaller.appspot.com/bug?extid=fe013f55a2814a9e8cfd [1]
Reported-by: syzbot <syzbot+fe013f55a2814a9e8cfd@syzkaller.appspotmail.com>
Reported-by: kernel test robot <oliver.sang@intel.com>
Fixes: ad9b10d1eaada169 ("mtd: core: introduce of support for dynamic partitions")
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
CC: stable@vger.kernel.org
Signed-off-by: Richard Weinberger <richard@nod.at>
---
drivers/mtd/mtdcore.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/mtd/mtdcore.c
+++ b/drivers/mtd/mtdcore.c
@@ -577,6 +577,8 @@ static void mtd_check_of_node(struct mtd
return;
/* Check if a partitions node exist */
+ if (!mtd_is_partition(mtd))
+ return;
parent = mtd->parent;
parent_dn = dev_of_node(&parent->dev);
if (!parent_dn)

2
target/linux/generic/hack-5.10/402-mtd-blktrans-call-add-disks-after-mtd-device.patch
View File

@@ -77,7 +77,7 @@ Signed-off-by: Daniel Golle <daniel@makrotopia.org>
#include "mtdcore.h" #include "mtdcore.h"
@@ -922,6 +923,8 @@ int mtd_device_parse_register(struct mtd @@ -924,6 +925,8 @@ int mtd_device_parse_register(struct mtd
register_reboot_notifier(&mtd->reboot_notifier); register_reboot_notifier(&mtd->reboot_notifier);
} }

1
target/linux/generic/hack-5.10/410-block-fit-partition-parser.patch
View File

@@ -248,3 +248,4 @@ Submitted-by: Daniel Golle <daniel@makrotopia.org>
+ FIT_PARTITION = 0x2e, /* U-Boot uImage.FIT */ + FIT_PARTITION = 0x2e, /* U-Boot uImage.FIT */
SOLARIS_X86_PARTITION = 0x82, /* also Linux swap partitions */ SOLARIS_X86_PARTITION = 0x82, /* also Linux swap partitions */
NEW_SOLARIS_X86_PARTITION = 0xbf, NEW_SOLARIS_X86_PARTITION = 0xbf,

2
target/linux/generic/hack-5.10/420-mtd-set-rootfs-to-be-root-dev.patch
View File

@@ -20,7 +20,7 @@ Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
#include <linux/nvmem-provider.h> #include <linux/nvmem-provider.h>
#include <linux/mtd/mtd.h> #include <linux/mtd/mtd.h>
@@ -765,6 +766,19 @@ int add_mtd_device(struct mtd_info *mtd) @@ -767,6 +768,19 @@ int add_mtd_device(struct mtd_info *mtd)
of this try_ nonsense, and no bitching about it of this try_ nonsense, and no bitching about it
either. :) */ either. :) */
__module_get(THIS_MODULE); __module_get(THIS_MODULE);

2
target/linux/generic/hack-5.15/402-mtd-blktrans-call-add-disks-after-mtd-device.patch
View File

@@ -77,7 +77,7 @@ Signed-off-by: Daniel Golle <daniel@makrotopia.org>
#include "mtdcore.h" #include "mtdcore.h"
@@ -1073,6 +1074,8 @@ int mtd_device_parse_register(struct mtd @@ -1075,6 +1076,8 @@ int mtd_device_parse_register(struct mtd
ret = mtd_otp_nvmem_add(mtd); ret = mtd_otp_nvmem_add(mtd);

2
target/linux/generic/hack-5.15/420-mtd-set-rootfs-to-be-root-dev.patch
View File

@@ -20,7 +20,7 @@ Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
#include <linux/nvmem-provider.h> #include <linux/nvmem-provider.h>
#include <linux/mtd/mtd.h> #include <linux/mtd/mtd.h>
@@ -768,6 +769,16 @@ int add_mtd_device(struct mtd_info *mtd) @@ -770,6 +771,16 @@ int add_mtd_device(struct mtd_info *mtd)
of this try_ nonsense, and no bitching about it of this try_ nonsense, and no bitching about it
either. :) */ either. :) */
__module_get(THIS_MODULE); __module_get(THIS_MODULE);