* Fix a stack overflow in lib/bch.c

-----BEGIN PGP SIGNATURE-----
 
 iQI5BAABCAAjBQJbwEtmHBxib3Jpcy5icmV6aWxsb25AYm9vdGxpbi5jb20ACgkQ
 Ze02AX4ItwB9+g/7BGRJ4PkXiDVNI01N/I50oSeAQhfSJPGLOH4uWRLvvAwMMoqJ
 WmblcUwvllg7E8t9hcMOINuVEhweSAu6YxKBvVbGRKhqnuV13eNyOj8OB4IF+Yk0
 RVAYbf1lyyfZGs4PQGwvMG14kM4Y/9ttVnwfewOjBqdJf66MiTeRTX4k7z7GTrYo
 kpkTSwKUlYi9eEEJB9Mhq9Ib9f2aiIeGWhzX/oZQ5ZIW0u5wkjdYTgIA4xaT1vML
 m4KiTBRMbDV63BWuJmSDi7YXLvEb9PbZRC2EA5j8VwDmEgWDw3hPuSdayQ06s/1g
 JjZR7s6+HW8D84i9ecGJOafOS0nuwIkdBJ7aepDkiad87crweWLf9JRxkz11LPbw
 DRrXIDswh8525fHLSwK9Fzg067fSJye8XrQtwMgZVAG6d+dDkrjzgUAfTo9fTf2j
 0pShcwedDmoJrL5ntO0MQKm05RfUKRe7HmiUXX3FiXDdjNyhSM9SReN2dPw9MszP
 mlwaWZdmg3hd6cvn0aCHvmqbDBxeh1mS3RyEcXxONU+h1NGv3IS0mpLD3vLk7SHm
 6Al8+Lpbd92ldEnPLYUrJeBlhJJiwS1amTZf4xxKGWLDFM4pKzWwj9T2vFtVAZAa
 bXEs8x8CgHbfP/oYBh8sHFjoHGlaF+f6opfp5JuUcHV3GHhUFDVlVQyOBR8=
 =vdMk
 -----END PGP SIGNATURE-----

Merge tag 'mtd/fixes-for-4.19-rc8' of git://git.infradead.org/linux-mtd

Boris writes:
  "mdt: fix for 4.19-rc8

   * Fix a stack overflow in lib/bch.c"

* tag 'mtd/fixes-for-4.19-rc8' of git://git.infradead.org/linux-mtd:
  lib/bch: fix possible stack overrun
This commit is contained in:
Greg Kroah-Hartman 2018-10-12 12:54:26 +02:00
Родитель 62d2e531d7 f0fe77f601
Коммит a291ab2d40
2 изменённых файлов: 13 добавлений и 5 удалений

Просмотреть файл

@ -119,7 +119,6 @@ obj-$(CONFIG_ZLIB_INFLATE) += zlib_inflate/
obj-$(CONFIG_ZLIB_DEFLATE) += zlib_deflate/ obj-$(CONFIG_ZLIB_DEFLATE) += zlib_deflate/
obj-$(CONFIG_REED_SOLOMON) += reed_solomon/ obj-$(CONFIG_REED_SOLOMON) += reed_solomon/
obj-$(CONFIG_BCH) += bch.o obj-$(CONFIG_BCH) += bch.o
CFLAGS_bch.o := $(call cc-option,-Wframe-larger-than=4500)
obj-$(CONFIG_LZO_COMPRESS) += lzo/ obj-$(CONFIG_LZO_COMPRESS) += lzo/
obj-$(CONFIG_LZO_DECOMPRESS) += lzo/ obj-$(CONFIG_LZO_DECOMPRESS) += lzo/
obj-$(CONFIG_LZ4_COMPRESS) += lz4/ obj-$(CONFIG_LZ4_COMPRESS) += lz4/

Просмотреть файл

@ -79,20 +79,19 @@
#define GF_T(_p) (CONFIG_BCH_CONST_T) #define GF_T(_p) (CONFIG_BCH_CONST_T)
#define GF_N(_p) ((1 << (CONFIG_BCH_CONST_M))-1) #define GF_N(_p) ((1 << (CONFIG_BCH_CONST_M))-1)
#define BCH_MAX_M (CONFIG_BCH_CONST_M) #define BCH_MAX_M (CONFIG_BCH_CONST_M)
#define BCH_MAX_T (CONFIG_BCH_CONST_T)
#else #else
#define GF_M(_p) ((_p)->m) #define GF_M(_p) ((_p)->m)
#define GF_T(_p) ((_p)->t) #define GF_T(_p) ((_p)->t)
#define GF_N(_p) ((_p)->n) #define GF_N(_p) ((_p)->n)
#define BCH_MAX_M 15 #define BCH_MAX_M 15 /* 2KB */
#define BCH_MAX_T 64 /* 64 bit correction */
#endif #endif
#define BCH_MAX_T (((1 << BCH_MAX_M) - 1) / BCH_MAX_M)
#define BCH_ECC_WORDS(_p) DIV_ROUND_UP(GF_M(_p)*GF_T(_p), 32) #define BCH_ECC_WORDS(_p) DIV_ROUND_UP(GF_M(_p)*GF_T(_p), 32)
#define BCH_ECC_BYTES(_p) DIV_ROUND_UP(GF_M(_p)*GF_T(_p), 8) #define BCH_ECC_BYTES(_p) DIV_ROUND_UP(GF_M(_p)*GF_T(_p), 8)
#define BCH_ECC_MAX_WORDS DIV_ROUND_UP(BCH_MAX_M * BCH_MAX_T, 32) #define BCH_ECC_MAX_WORDS DIV_ROUND_UP(BCH_MAX_M * BCH_MAX_T, 32)
#define BCH_ECC_MAX_BYTES DIV_ROUND_UP(BCH_MAX_M * BCH_MAX_T, 8)
#ifndef dbg #ifndef dbg
#define dbg(_fmt, args...) do {} while (0) #define dbg(_fmt, args...) do {} while (0)
@ -202,6 +201,9 @@ void encode_bch(struct bch_control *bch, const uint8_t *data,
const uint32_t * const tab3 = tab2 + 256*(l+1); const uint32_t * const tab3 = tab2 + 256*(l+1);
const uint32_t *pdata, *p0, *p1, *p2, *p3; const uint32_t *pdata, *p0, *p1, *p2, *p3;
if (WARN_ON(r_bytes > sizeof(r)))
return;
if (ecc) { if (ecc) {
/* load ecc parity bytes into internal 32-bit buffer */ /* load ecc parity bytes into internal 32-bit buffer */
load_ecc8(bch, bch->ecc_buf, ecc); load_ecc8(bch, bch->ecc_buf, ecc);
@ -1285,6 +1287,13 @@ struct bch_control *init_bch(int m, int t, unsigned int prim_poly)
*/ */
goto fail; goto fail;
if (t > BCH_MAX_T)
/*
* we can support larger than 64 bits if necessary, at the
* cost of higher stack usage.
*/
goto fail;
/* sanity checks */ /* sanity checks */
if ((t < 1) || (m*t >= ((1 << m)-1))) if ((t < 1) || (m*t >= ((1 << m)-1)))
/* invalid t value */ /* invalid t value */