UBI: fix out of bounds write

commit d74adbdb9abf0d2506a6c4afa534d894f28b763f upstream. If aeb->len >= vol->reserved_pebs, we should not be writing aeb into the PEB->LEB mapping. Caught by Coverity, CID #711212. Signed-off-by: Brian Norris <computersforpeace@gmail.com> Signed-off-by: Richard Weinberger <richard@nod.at> [bwh: Backported to 3.2: adjust context; s/leb/seb/g] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
author: Brian Norris <computersforpeace@gmail.com> 2015-02-28 02:23:26 -0800
committer: Ben Hutchings <ben@decadent.org.uk> 2015-08-07 00:32:01 +0100
commit: 4d1519d8538a6a91ffcd10d56a15f538804b5bad (patch)
tree: ad725ce06e0df913c6e6ddef43d52fc2c91e18da /drivers/mtd
parent: 5daa0af639b0be923694f1e12f3029f0562f8dfc (diff)
download: kernel_samsung_smdk4412-4d1519d8538a6a91ffcd10d56a15f538804b5bad.zip
kernel_samsung_smdk4412-4d1519d8538a6a91ffcd10d56a15f538804b5bad.tar.gz
kernel_samsung_smdk4412-4d1519d8538a6a91ffcd10d56a15f538804b5bad.tar.bz2
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c
index cd26da8..22b3636 100644
--- a/drivers/mtd/ubi/eba.c
+++ b/drivers/mtd/ubi/eba.c
@@ -1261,7 +1261,8 @@ int ubi_eba_init_scan(struct ubi_device *ubi, struct ubi_scan_info *si)
 				 * during re-size.
 				 */
 				ubi_scan_move_to_list(sv, seb, &si->erase);
-			vol->eba_tbl[seb->lnum] = seb->pnum;
+			else
+				vol->eba_tbl[seb->lnum] = seb->pnum;
 		}
 	}
author	Brian Norris <computersforpeace@gmail.com>	2015-02-28 02:23:26 -0800
committer	Ben Hutchings <ben@decadent.org.uk>	2015-08-07 00:32:01 +0100
commit	4d1519d8538a6a91ffcd10d56a15f538804b5bad (patch)
tree	ad725ce06e0df913c6e6ddef43d52fc2c91e18da /drivers/mtd
parent	5daa0af639b0be923694f1e12f3029f0562f8dfc (diff)
download	kernel_samsung_smdk4412-4d1519d8538a6a91ffcd10d56a15f538804b5bad.zip kernel_samsung_smdk4412-4d1519d8538a6a91ffcd10d56a15f538804b5bad.tar.gz kernel_samsung_smdk4412-4d1519d8538a6a91ffcd10d56a15f538804b5bad.tar.bz2