From 6bacf3c99f2f1743328317812e3bee3d18b9b5f9 Mon Sep 17 00:00:00 2001 From: nbd Date: Tue, 21 Jul 2009 15:05:13 +0000 Subject: [PATCH] fix a >2 year old stack overflow in the mtd rootfs split patch which only caused issues on the orion platform on 2.6.30. also merge the squashfs4 fix into the rootfs split patch git-svn-id: svn://svn.openwrt.org/openwrt/trunk@16944 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- .../patches-2.6.27/065-rootfs_split.patch | 19 +++++++------ .../patches-2.6.28/065-rootfs_split.patch | 19 +++++++------ .../patches-2.6.30/065-rootfs_split.patch | 19 +++++++------ .../066-rootfs_split_squashfs4_fix.patch | 27 ------------------- 4 files changed, 27 insertions(+), 57 deletions(-) delete mode 100644 target/linux/generic-2.6/patches-2.6.30/066-rootfs_split_squashfs4_fix.patch diff --git a/target/linux/generic-2.6/patches-2.6.27/065-rootfs_split.patch b/target/linux/generic-2.6/patches-2.6.27/065-rootfs_split.patch index c05d79181..685a246a8 100644 --- a/target/linux/generic-2.6/patches-2.6.27/065-rootfs_split.patch +++ b/target/linux/generic-2.6/patches-2.6.27/065-rootfs_split.patch @@ -37,7 +37,7 @@ /* * MTD methods which simply translate the effective address and pass through -@@ -489,6 +491,148 @@ out_register: +@@ -489,6 +491,147 @@ out_register: return slave; } @@ -46,32 +46,31 @@ +#define ROOTFS_REMOVED_NAME "" +static int split_squashfs(struct mtd_info *master, int offset, int *split_offset) +{ -+ char buf[512]; -+ struct squashfs_super_block *sb = (struct squashfs_super_block *) buf; ++ struct squashfs_super_block sb; + int len, ret; + -+ ret = master->read(master, offset, sizeof(*sb), &len, buf); -+ if (ret || (len != sizeof(*sb))) { ++ ret = master->read(master, offset, sizeof(sb), &len, (void *) &sb); ++ if (ret || (len != sizeof(sb))) { + printk(KERN_ALERT "split_squashfs: error occured while reading " + "from \"%s\"\n", master->name); + return -EINVAL; + } + -+ if (*((u32 *) buf) != SQUASHFS_MAGIC) { ++ if (sb.s_magic != SQUASHFS_MAGIC) { + printk(KERN_ALERT "split_squashfs: no squashfs found in \"%s\"\n", + master->name); + *split_offset = 0; + return 0; + } + -+ if (sb->bytes_used <= 0) { ++ if (sb.bytes_used <= 0) { + printk(KERN_ALERT "split_squashfs: squashfs is empty in \"%s\"\n", + master->name); + *split_offset = 0; + return 0; + } + -+ len = (u32) sb->bytes_used; ++ len = (u32) sb.bytes_used; + len += (offset & 0x000fffff); + len += (master->erasesize - 1); + len &= ~(master->erasesize - 1); @@ -186,7 +185,7 @@ /* * This function, given a master MTD object and a partition table, creates * and registers slave MTD objects which are bound to the master according to -@@ -502,14 +646,29 @@ int add_mtd_partitions(struct mtd_info * +@@ -502,14 +645,29 @@ int add_mtd_partitions(struct mtd_info * { struct mtd_part *slave; u_int32_t cur_offset = 0; @@ -219,7 +218,7 @@ cur_offset = slave->offset + slave->mtd.size; } -@@ -517,6 +676,32 @@ int add_mtd_partitions(struct mtd_info * +@@ -517,6 +675,32 @@ int add_mtd_partitions(struct mtd_info * } EXPORT_SYMBOL(add_mtd_partitions); diff --git a/target/linux/generic-2.6/patches-2.6.28/065-rootfs_split.patch b/target/linux/generic-2.6/patches-2.6.28/065-rootfs_split.patch index 176bed8f8..2ba39834b 100644 --- a/target/linux/generic-2.6/patches-2.6.28/065-rootfs_split.patch +++ b/target/linux/generic-2.6/patches-2.6.28/065-rootfs_split.patch @@ -37,7 +37,7 @@ /* * MTD methods which simply translate the effective address and pass through -@@ -489,6 +491,148 @@ out_register: +@@ -489,6 +491,147 @@ out_register: return slave; } @@ -46,32 +46,31 @@ +#define ROOTFS_REMOVED_NAME "" +static int split_squashfs(struct mtd_info *master, int offset, int *split_offset) +{ -+ char buf[512]; -+ struct squashfs_super_block *sb = (struct squashfs_super_block *) buf; ++ struct squashfs_super_block sb; + int len, ret; + -+ ret = master->read(master, offset, sizeof(*sb), &len, buf); -+ if (ret || (len != sizeof(*sb))) { ++ ret = master->read(master, offset, sizeof(sb), &len, (void *) &sb); ++ if (ret || (len != sizeof(sb))) { + printk(KERN_ALERT "split_squashfs: error occured while reading " + "from \"%s\"\n", master->name); + return -EINVAL; + } + -+ if (*((u32 *) buf) != SQUASHFS_MAGIC) { ++ if (sb.s_magic != SQUASHFS_MAGIC) { + printk(KERN_ALERT "split_squashfs: no squashfs found in \"%s\"\n", + master->name); + *split_offset = 0; + return 0; + } + -+ if (sb->bytes_used <= 0) { ++ if (sb.bytes_used <= 0) { + printk(KERN_ALERT "split_squashfs: squashfs is empty in \"%s\"\n", + master->name); + *split_offset = 0; + return 0; + } + -+ len = (u32) sb->bytes_used; ++ len = (u32) sb.bytes_used; + len += (offset & 0x000fffff); + len += (master->erasesize - 1); + len &= ~(master->erasesize - 1); @@ -186,7 +185,7 @@ /* * This function, given a master MTD object and a partition table, creates * and registers slave MTD objects which are bound to the master according to -@@ -502,14 +646,29 @@ int add_mtd_partitions(struct mtd_info * +@@ -502,14 +645,29 @@ int add_mtd_partitions(struct mtd_info * { struct mtd_part *slave; u_int32_t cur_offset = 0; @@ -219,7 +218,7 @@ cur_offset = slave->offset + slave->mtd.size; } -@@ -517,6 +676,32 @@ int add_mtd_partitions(struct mtd_info * +@@ -517,6 +675,32 @@ int add_mtd_partitions(struct mtd_info * } EXPORT_SYMBOL(add_mtd_partitions); diff --git a/target/linux/generic-2.6/patches-2.6.30/065-rootfs_split.patch b/target/linux/generic-2.6/patches-2.6.30/065-rootfs_split.patch index 0eca8990b..824e3df10 100644 --- a/target/linux/generic-2.6/patches-2.6.30/065-rootfs_split.patch +++ b/target/linux/generic-2.6/patches-2.6.30/065-rootfs_split.patch @@ -37,7 +37,7 @@ /* * MTD methods which simply translate the effective address and pass through -@@ -512,6 +514,156 @@ out_register: +@@ -512,6 +514,155 @@ out_register: return slave; } @@ -54,32 +54,31 @@ + +static int split_squashfs(struct mtd_info *master, int offset, int *split_offset) +{ -+ char buf[512]; -+ struct squashfs_super_block *sb = (struct squashfs_super_block *) buf; ++ struct squashfs_super_block sb; + int len, ret; + -+ ret = master->read(master, offset, sizeof(*sb), &len, buf); -+ if (ret || (len != sizeof(*sb))) { ++ ret = master->read(master, offset, sizeof(sb), &len, (void *) &sb); ++ if (ret || (len != sizeof(sb))) { + printk(KERN_ALERT "split_squashfs: error occured while reading " + "from \"%s\"\n", master->name); + return -EINVAL; + } + -+ if (*((u32 *) buf) != SQUASHFS_MAGIC) { ++ if (SQUASHFS_MAGIC != le32_to_cpu(sb.s_magic) ) { + printk(KERN_ALERT "split_squashfs: no squashfs found in \"%s\"\n", + master->name); + *split_offset = 0; + return 0; + } + -+ if (sb->bytes_used <= 0) { ++ if (le64_to_cpu((sb.bytes_used)) <= 0) { + printk(KERN_ALERT "split_squashfs: squashfs is empty in \"%s\"\n", + master->name); + *split_offset = 0; + return 0; + } + -+ len = (u32) sb->bytes_used; ++ len = (u32) le64_to_cpu(sb.bytes_used); + len += (offset & 0x000fffff); + len += (master->erasesize - 1); + len &= ~(master->erasesize - 1); @@ -194,7 +193,7 @@ /* * This function, given a master MTD object and a partition table, creates * and registers slave MTD objects which are bound to the master according to -@@ -527,14 +679,29 @@ int add_mtd_partitions(struct mtd_info * +@@ -527,14 +678,29 @@ int add_mtd_partitions(struct mtd_info * { struct mtd_part *slave; uint64_t cur_offset = 0; @@ -227,7 +226,7 @@ cur_offset = slave->offset + slave->mtd.size; } -@@ -542,6 +709,32 @@ int add_mtd_partitions(struct mtd_info * +@@ -542,6 +708,32 @@ int add_mtd_partitions(struct mtd_info * } EXPORT_SYMBOL(add_mtd_partitions); diff --git a/target/linux/generic-2.6/patches-2.6.30/066-rootfs_split_squashfs4_fix.patch b/target/linux/generic-2.6/patches-2.6.30/066-rootfs_split_squashfs4_fix.patch deleted file mode 100644 index a968a57fa..000000000 --- a/target/linux/generic-2.6/patches-2.6.30/066-rootfs_split_squashfs4_fix.patch +++ /dev/null @@ -1,27 +0,0 @@ ---- a/drivers/mtd/mtdpart.c -+++ b/drivers/mtd/mtdpart.c -@@ -538,21 +538,21 @@ static int split_squashfs(struct mtd_inf - return -EINVAL; - } - -- if (*((u32 *) buf) != SQUASHFS_MAGIC) { -+ if (SQUASHFS_MAGIC != le32_to_cpu(sb->s_magic) ) { - printk(KERN_ALERT "split_squashfs: no squashfs found in \"%s\"\n", - master->name); - *split_offset = 0; - return 0; - } - -- if (sb->bytes_used <= 0) { -+ if (le64_to_cpu((sb->bytes_used)) <= 0) { - printk(KERN_ALERT "split_squashfs: squashfs is empty in \"%s\"\n", - master->name); - *split_offset = 0; - return 0; - } - -- len = (u32) sb->bytes_used; -+ len = (u32) le64_to_cpu(sb->bytes_used); - len += (offset & 0x000fffff); - len += (master->erasesize - 1); - len &= ~(master->erasesize - 1); -- 2.20.1