openwrtv4/target/linux/pistachio/patches-4.9/411-mtd-nand-Check-length-of-ID-before-reading-bits-per-.patch
Stijn Tintel f621b53951 kernel: bump 4.9 to 4.9.82
Refresh patches.
Remove upstreamed patches:
- ar7/002-MIPS-AR7-ensure-the-port-type-s-FCR-value-is-used.patch
- backport/040-crypto-fix-typo-in-KPP-dependency-of-CRYPTO_ECDH.patch
Remove layerscape/819-Revert-dmaengine-dmatest-move-callback-wait-queue-to.patch,
it is superseded by upstream commit 297c7cc4b5651b174a62925b6c961085f04979fd.
Remove pending/650-pppoe_header_pad.patch, it is superseded by
upstream commit 1bd21b158e07e0b8c5a2ce832305a0ebfe42c480.
Update patches that no longer apply:
- ar71xx/004-register_gpio_driver_earlier.patch
- hack/204-module_strip.patch
- pending/493-ubi-set-ROOT_DEV-to-ubiblock-rootfs-if-unset.patch

Fixes CVE-2017-8824.

Compile-tested: ar71xx.
Runtime-tested: ar71xx.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2018-02-18 02:59:57 +01:00

33 lines
1.3 KiB
Diff

From 42ebff638003be18fab503b37de4ad7853244e95 Mon Sep 17 00:00:00 2001
From: Ezequiel Garcia <ezequiel.garcia@imgtec.com>
Date: Sat, 25 Feb 2017 15:58:22 +0000
Subject: mtd: nand: Check length of ID before reading bits per cell
The table-based NAND identification currently reads the number
of bits per cell from the 3rd byte of the extended ID. This is done
for the so-called 'full ID' devices; i.e. devices that have a known
length ID.
However, if the ID length is shorter than three, there's no 3rd byte,
and so it's wrong to read the bits per cell from there. Fix this by
adding a check for the ID length.
(picked from http://lists.infradead.org/pipermail/linux-mtd/2014-December/056764.html)
Signed-off-by: Ezequiel Garcia <ezequiel.garcia@imgtec.com>
---
drivers/mtd/nand/nand_base.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/mtd/nand/nand_base.c
+++ b/drivers/mtd/nand/nand_base.c
@@ -4046,7 +4046,8 @@ static bool find_full_id_nand(struct mtd
mtd->erasesize = type->erasesize;
mtd->oobsize = type->oobsize;
- chip->bits_per_cell = nand_get_bits_per_cell(id_data[2]);
+ if (type->id_len > 2)
+ chip->bits_per_cell = nand_get_bits_per_cell(id_data[2]);
chip->chipsize = (uint64_t)type->chipsize << 20;
chip->options |= type->options;
chip->ecc_strength_ds = NAND_ECC_STRENGTH(type);