aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFelix Fietkau <nbd@openwrt.org>2009-07-21 15:05:13 +0000
committerFelix Fietkau <nbd@openwrt.org>2009-07-21 15:05:13 +0000
commit1ee4f5841632863bd85738bf7fc87c6dbf401090 (patch)
tree8b4e06d72c616f7a8d7c5af5f7ad1dc2a0406d4b
parent349a74df5340f3453a88d6335f4ca481a7a47328 (diff)
downloadupstream-1ee4f5841632863bd85738bf7fc87c6dbf401090.tar.gz
upstream-1ee4f5841632863bd85738bf7fc87c6dbf401090.tar.bz2
upstream-1ee4f5841632863bd85738bf7fc87c6dbf401090.zip
fix a >2 year old stack overflow in the mtd rootfs split patch which only caused issues on the orion platform on 2.6.30.
also merge the squashfs4 fix into the rootfs split patch git-svn-id: svn://svn.openwrt.org/openwrt/trunk@16944 3c298f89-4303-0410-b956-a3cf2f4a3e73
-rw-r--r--target/linux/generic-2.6/patches-2.6.27/065-rootfs_split.patch19
-rw-r--r--target/linux/generic-2.6/patches-2.6.28/065-rootfs_split.patch19
-rw-r--r--target/linux/generic-2.6/patches-2.6.30/065-rootfs_split.patch19
-rw-r--r--target/linux/generic-2.6/patches-2.6.30/066-rootfs_split_squashfs4_fix.patch27
4 files changed, 27 insertions, 57 deletions
diff --git a/target/linux/generic-2.6/patches-2.6.27/065-rootfs_split.patch b/target/linux/generic-2.6/patches-2.6.27/065-rootfs_split.patch
index c05d791813..685a246a8c 100644
--- a/target/linux/generic-2.6/patches-2.6.27/065-rootfs_split.patch
+++ b/target/linux/generic-2.6/patches-2.6.27/065-rootfs_split.patch
@@ -37,7 +37,7 @@
/*
* MTD methods which simply translate the effective address and pass through
-@@ -489,6 +491,148 @@ out_register:
+@@ -489,6 +491,147 @@ out_register:
return slave;
}
@@ -46,32 +46,31 @@
+#define ROOTFS_REMOVED_NAME "<removed>"
+static int split_squashfs(struct mtd_info *master, int offset, int *split_offset)
+{
-+ char buf[512];
-+ struct squashfs_super_block *sb = (struct squashfs_super_block *) buf;
++ struct squashfs_super_block sb;
+ int len, ret;
+
-+ ret = master->read(master, offset, sizeof(*sb), &len, buf);
-+ if (ret || (len != sizeof(*sb))) {
++ ret = master->read(master, offset, sizeof(sb), &len, (void *) &sb);
++ if (ret || (len != sizeof(sb))) {
+ printk(KERN_ALERT "split_squashfs: error occured while reading "
+ "from \"%s\"\n", master->name);
+ return -EINVAL;
+ }
+
-+ if (*((u32 *) buf) != SQUASHFS_MAGIC) {
++ if (sb.s_magic != SQUASHFS_MAGIC) {
+ printk(KERN_ALERT "split_squashfs: no squashfs found in \"%s\"\n",
+ master->name);
+ *split_offset = 0;
+ return 0;
+ }
+
-+ if (sb->bytes_used <= 0) {
++ if (sb.bytes_used <= 0) {
+ printk(KERN_ALERT "split_squashfs: squashfs is empty in \"%s\"\n",
+ master->name);
+ *split_offset = 0;
+ return 0;
+ }
+
-+ len = (u32) sb->bytes_used;
++ len = (u32) sb.bytes_used;
+ len += (offset & 0x000fffff);
+ len += (master->erasesize - 1);
+ len &= ~(master->erasesize - 1);
@@ -186,7 +185,7 @@
/*
* This function, given a master MTD object and a partition table, creates
* and registers slave MTD objects which are bound to the master according to
-@@ -502,14 +646,29 @@ int add_mtd_partitions(struct mtd_info *
+@@ -502,14 +645,29 @@ int add_mtd_partitions(struct mtd_info *
{
struct mtd_part *slave;
u_int32_t cur_offset = 0;
@@ -219,7 +218,7 @@
cur_offset = slave->offset + slave->mtd.size;
}
-@@ -517,6 +676,32 @@ int add_mtd_partitions(struct mtd_info *
+@@ -517,6 +675,32 @@ int add_mtd_partitions(struct mtd_info *
}
EXPORT_SYMBOL(add_mtd_partitions);
diff --git a/target/linux/generic-2.6/patches-2.6.28/065-rootfs_split.patch b/target/linux/generic-2.6/patches-2.6.28/065-rootfs_split.patch
index 176bed8f8a..2ba39834b4 100644
--- a/target/linux/generic-2.6/patches-2.6.28/065-rootfs_split.patch
+++ b/target/linux/generic-2.6/patches-2.6.28/065-rootfs_split.patch
@@ -37,7 +37,7 @@
/*
* MTD methods which simply translate the effective address and pass through
-@@ -489,6 +491,148 @@ out_register:
+@@ -489,6 +491,147 @@ out_register:
return slave;
}
@@ -46,32 +46,31 @@
+#define ROOTFS_REMOVED_NAME "<removed>"
+static int split_squashfs(struct mtd_info *master, int offset, int *split_offset)
+{
-+ char buf[512];
-+ struct squashfs_super_block *sb = (struct squashfs_super_block *) buf;
++ struct squashfs_super_block sb;
+ int len, ret;
+
-+ ret = master->read(master, offset, sizeof(*sb), &len, buf);
-+ if (ret || (len != sizeof(*sb))) {
++ ret = master->read(master, offset, sizeof(sb), &len, (void *) &sb);
++ if (ret || (len != sizeof(sb))) {
+ printk(KERN_ALERT "split_squashfs: error occured while reading "
+ "from \"%s\"\n", master->name);
+ return -EINVAL;
+ }
+
-+ if (*((u32 *) buf) != SQUASHFS_MAGIC) {
++ if (sb.s_magic != SQUASHFS_MAGIC) {
+ printk(KERN_ALERT "split_squashfs: no squashfs found in \"%s\"\n",
+ master->name);
+ *split_offset = 0;
+ return 0;
+ }
+
-+ if (sb->bytes_used <= 0) {
++ if (sb.bytes_used <= 0) {
+ printk(KERN_ALERT "split_squashfs: squashfs is empty in \"%s\"\n",
+ master->name);
+ *split_offset = 0;
+ return 0;
+ }
+
-+ len = (u32) sb->bytes_used;
++ len = (u32) sb.bytes_used;
+ len += (offset & 0x000fffff);
+ len += (master->erasesize - 1);
+ len &= ~(master->erasesize - 1);
@@ -186,7 +185,7 @@
/*
* This function, given a master MTD object and a partition table, creates
* and registers slave MTD objects which are bound to the master according to
-@@ -502,14 +646,29 @@ int add_mtd_partitions(struct mtd_info *
+@@ -502,14 +645,29 @@ int add_mtd_partitions(struct mtd_info *
{
struct mtd_part *slave;
u_int32_t cur_offset = 0;
@@ -219,7 +218,7 @@
cur_offset = slave->offset + slave->mtd.size;
}
-@@ -517,6 +676,32 @@ int add_mtd_partitions(struct mtd_info *
+@@ -517,6 +675,32 @@ int add_mtd_partitions(struct mtd_info *
}
EXPORT_SYMBOL(add_mtd_partitions);
diff --git a/target/linux/generic-2.6/patches-2.6.30/065-rootfs_split.patch b/target/linux/generic-2.6/patches-2.6.30/065-rootfs_split.patch
index 0eca8990bc..824e3df10e 100644
--- a/target/linux/generic-2.6/patches-2.6.30/065-rootfs_split.patch
+++ b/target/linux/generic-2.6/patches-2.6.30/065-rootfs_split.patch
@@ -37,7 +37,7 @@
/*
* MTD methods which simply translate the effective address and pass through
-@@ -512,6 +514,156 @@ out_register:
+@@ -512,6 +514,155 @@ out_register:
return slave;
}
@@ -54,32 +54,31 @@
+
+static int split_squashfs(struct mtd_info *master, int offset, int *split_offset)
+{
-+ char buf[512];
-+ struct squashfs_super_block *sb = (struct squashfs_super_block *) buf;
++ struct squashfs_super_block sb;
+ int len, ret;
+
-+ ret = master->read(master, offset, sizeof(*sb), &len, buf);
-+ if (ret || (len != sizeof(*sb))) {
++ ret = master->read(master, offset, sizeof(sb), &len, (void *) &sb);
++ if (ret || (len != sizeof(sb))) {
+ printk(KERN_ALERT "split_squashfs: error occured while reading "
+ "from \"%s\"\n", master->name);
+ return -EINVAL;
+ }
+
-+ if (*((u32 *) buf) != SQUASHFS_MAGIC) {
++ if (SQUASHFS_MAGIC != le32_to_cpu(sb.s_magic) ) {
+ printk(KERN_ALERT "split_squashfs: no squashfs found in \"%s\"\n",
+ master->name);
+ *split_offset = 0;
+ return 0;
+ }
+
-+ if (sb->bytes_used <= 0) {
++ if (le64_to_cpu((sb.bytes_used)) <= 0) {
+ printk(KERN_ALERT "split_squashfs: squashfs is empty in \"%s\"\n",
+ master->name);
+ *split_offset = 0;
+ return 0;
+ }
+
-+ len = (u32) sb->bytes_used;
++ len = (u32) le64_to_cpu(sb.bytes_used);
+ len += (offset & 0x000fffff);
+ len += (master->erasesize - 1);
+ len &= ~(master->erasesize - 1);
@@ -194,7 +193,7 @@
/*
* This function, given a master MTD object and a partition table, creates
* and registers slave MTD objects which are bound to the master according to
-@@ -527,14 +679,29 @@ int add_mtd_partitions(struct mtd_info *
+@@ -527,14 +678,29 @@ int add_mtd_partitions(struct mtd_info *
{
struct mtd_part *slave;
uint64_t cur_offset = 0;
@@ -227,7 +226,7 @@
cur_offset = slave->offset + slave->mtd.size;
}
-@@ -542,6 +709,32 @@ int add_mtd_partitions(struct mtd_info *
+@@ -542,6 +708,32 @@ int add_mtd_partitions(struct mtd_info *
}
EXPORT_SYMBOL(add_mtd_partitions);
diff --git a/target/linux/generic-2.6/patches-2.6.30/066-rootfs_split_squashfs4_fix.patch b/target/linux/generic-2.6/patches-2.6.30/066-rootfs_split_squashfs4_fix.patch
deleted file mode 100644
index a968a57fac..0000000000
--- a/target/linux/generic-2.6/patches-2.6.30/066-rootfs_split_squashfs4_fix.patch
+++ /dev/null
@@ -1,27 +0,0 @@
---- a/drivers/mtd/mtdpart.c
-+++ b/drivers/mtd/mtdpart.c
-@@ -538,21 +538,21 @@ static int split_squashfs(struct mtd_inf
- return -EINVAL;
- }
-
-- if (*((u32 *) buf) != SQUASHFS_MAGIC) {
-+ if (SQUASHFS_MAGIC != le32_to_cpu(sb->s_magic) ) {
- printk(KERN_ALERT "split_squashfs: no squashfs found in \"%s\"\n",
- master->name);
- *split_offset = 0;
- return 0;
- }
-
-- if (sb->bytes_used <= 0) {
-+ if (le64_to_cpu((sb->bytes_used)) <= 0) {
- printk(KERN_ALERT "split_squashfs: squashfs is empty in \"%s\"\n",
- master->name);
- *split_offset = 0;
- return 0;
- }
-
-- len = (u32) sb->bytes_used;
-+ len = (u32) le64_to_cpu(sb->bytes_used);
- len += (offset & 0x000fffff);
- len += (master->erasesize - 1);
- len &= ~(master->erasesize - 1);