openwrt/target/linux/pistachio/patches-4.9/411-mtd-nand-Check-length-of-ID-before-reading-bits-per-.patch
Stijn Tintel 2d02a4f5bd kernel: update 4.9 to 4.9.44
Refresh patches.
Adapt 704-phy-no-genphy-soft-reset.patch.
Remove brcm2708/950-0005-mm-Remove-the-PFN-busy-warning.patch.
Compile-tested on brcm2708/bcm2708 and x86/64.
Runtime-tested on brcm2708/bcm2708 and x86/64.

Fixes the following vulnerabilities:
- CVE-2017-7533
- CVE-2017-1000111
- CVE-2017-1000112

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-08-17 12:34:34 +02:00

34 lines
1.3 KiB
Diff

From 42ebff638003be18fab503b37de4ad7853244e95 Mon Sep 17 00:00:00 2001
From: Ezequiel Garcia <ezequiel.garcia@imgtec.com>
Date: Sat, 25 Feb 2017 15:58:22 +0000
Subject: mtd: nand: Check length of ID before reading bits per cell
The table-based NAND identification currently reads the number
of bits per cell from the 3rd byte of the extended ID. This is done
for the so-called 'full ID' devices; i.e. devices that have a known
length ID.
However, if the ID length is shorter than three, there's no 3rd byte,
and so it's wrong to read the bits per cell from there. Fix this by
adding a check for the ID length.
(picked from http://lists.infradead.org/pipermail/linux-mtd/2014-December/056764.html)
Signed-off-by: Ezequiel Garcia <ezequiel.garcia@imgtec.com>
---
drivers/mtd/nand/nand_base.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/mtd/nand/nand_base.c
+++ b/drivers/mtd/nand/nand_base.c
@@ -4040,7 +4040,8 @@ static bool find_full_id_nand(struct mtd
mtd->erasesize = type->erasesize;
mtd->oobsize = type->oobsize;
- chip->bits_per_cell = nand_get_bits_per_cell(id_data[2]);
+ if (type->id_len > 2)
+ chip->bits_per_cell = nand_get_bits_per_cell(id_data[2]);
chip->chipsize = (uint64_t)type->chipsize << 20;
chip->options |= type->options;
chip->ecc_strength_ds = NAND_ECC_STRENGTH(type);