tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

mtdchar: fix integer overflow in read/write ioctls

The "req.start" and "req.len" variables are u64 values that come from the
user at the start of the function. We mask away the high 32 bits of
"req.len" so that's capped at U32_MAX but the "req.start" variable can go
up to U64_MAX which means that the addition can still integer overflow.

Use check_add_overflow() to fix this bug.

Fixes: 095bb6e44eb1 ("mtdchar: add MEMREAD ioctl")
Fixes: 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>

authored by

Dan Carpenter and committed by
Miquel Raynal e4185bed 3a866087

+4 -2
+4 -2
drivers/mtd/mtdchar.c
··· 599 599 uint8_t *datbuf = NULL, *oobbuf = NULL; 600 600 size_t datbuf_len, oobbuf_len; 601 601 int ret = 0; 602 + u64 end; 602 603 603 604 if (copy_from_user(&req, argp, sizeof(req))) 604 605 return -EFAULT; ··· 619 618 req.len &= 0xffffffff; 620 619 req.ooblen &= 0xffffffff; 621 620 622 - if (req.start + req.len > mtd->size) 621 + if (check_add_overflow(req.start, req.len, &end) || end > mtd->size) 623 622 return -EINVAL; 624 623 625 624 datbuf_len = min_t(size_t, req.len, mtd->erasesize); ··· 699 698 size_t datbuf_len, oobbuf_len; 700 699 size_t orig_len, orig_ooblen; 701 700 int ret = 0; 701 + u64 end; 702 702 703 703 if (copy_from_user(&req, argp, sizeof(req))) 704 704 return -EFAULT; ··· 726 724 req.len &= 0xffffffff; 727 725 req.ooblen &= 0xffffffff; 728 726 729 - if (req.start + req.len > mtd->size) { 727 + if (check_add_overflow(req.start, req.len, &end) || end > mtd->size) { 730 728 ret = -EINVAL; 731 729 goto out; 732 730 }