>Reviewe-by: Joakim Tjernlund
Thanks for your review.
>It would be interesting to known how you managed to create such a dir entry as
>that is a bug too.
We discovered this bug by performing fuzzing tests, which simulate bit flips
that may occur anywhere in a flash device in real-world
From: lizhe
KASAN report a slab-out-of-bounds problem. The logs are listed below.
It is because in function jffs2_scan_dirent_node, we alloc "checkedlen+1"
bytes for fd->name and we check crc with length rd->nsize. If checkedlen
is less than rd->nsize, it will cause the slab-out-of-bounds
Maintainer ping?
Zhe
On Tue, 13 Oct 2020 19:41:30 +0800, Zhe Li wrote:
>
>Set rp_size to zero will be ignore during remounting.
>
>The method to identify whether we input a remounting option of
>rp_size is to check if the rp_size input is zero. It can not work
>well if
Maintainer ping?
Zhe
On Tue, 13 Oct 2020 15:22:37 +0800, Zhe Li wrote:
>
>The jffs2 mount options will be ignored when remounting jffs2.
>It can be easily reproduced with the steps listed below.
>1. mount -t jffs2 -o compr=none /dev/mtdblockx /mnt
>2. mount -o remount
From: lizhe
Set rp_size to zero will be ignore during remounting.
The method to identify whether we input a remounting option of
rp_size is to check if the rp_size input is zero. It can not work
well if we pass "rp_size=0".
This patch add a bool variable "set_rp_size" to fix this problem.
By
From: lizhe
The jffs2 mount options will be ignored when remounting jffs2.
It can be easily reproduced with the steps listed below.
1. mount -t jffs2 -o compr=none /dev/mtdblockx /mnt
2. mount -o remount compr=zlib /mnt
Since ec10a24f10c8, the option parsing happens before fill_super and
then
t; to slove the UAF problem.
Signed-off-by: Zhe Li
---
fs/jffs2/dir.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/jffs2/dir.c b/fs/jffs2/dir.c
index f20cff1..7764937 100644
--- a/fs/jffs2/dir.c
+++ b/fs/jffs2/dir.c
@@ -590,10 +590,14 @@ static int jffs2_rmdir (str
f we find
an inode node while mounting. And jffs2 will never add the value of
c->unchecked_size in other situations. So this patch add one more
condition about c->unchecked_size of the judgement to fix this problem.
Signed-off-by: Zhe Li
---
fs/jffs2/scan.c | 3 ++-
1 file changed, 2 inser
k the nsize and the
return value of strnlen(rd->name, rd->nsize). If
abnormal node is found, use function jffs2_scan_dirty_space
to deal with it.
Signed-off-by: Zhe Li
---
fs/jffs2/scan.c | 13 +
1 file changed, 13 insertions(+)
diff --git a/fs/jffs2/scan.c b/fs/jffs2/scan.c
node will
be marked obsolete so GC will pass this node and this
problem will be fixed.
Signed-off-by: Zhe Li
---
fs/jffs2/readinode.c | 16
1 file changed, 16 insertions(+)
diff --git a/fs/jffs2/readinode.c b/fs/jffs2/readinode.c
index bccfc40b..d19483f 100644
--- a/fs/jffs2/
10 matches
Mail list logo