linux

History

Michał Kępień a1eda864c0 mtdchar: prevent integer overflow in a safety check Commit `6420ac0af9` ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl") added a safety check to mtdchar_write_ioctl() which attempts to ensure that the write request sent by user space does not extend beyond the MTD device's size. However, that check contains an addition of two struct mtd_write_req fields, 'start' and 'len', both of which are u64 variables. The result of that addition can overflow, allowing the safety check to be bypassed. The arguably simplest fix - changing the data types of the relevant struct mtd_write_req fields - is not feasible as it would break user space. Fix by making mtdchar_write_ioctl() truncate the value provided by user space in the 'len' field of struct mtd_write_req, so that only the lower 32 bits of that field are used, preventing the overflow. While the 'ooblen' field of struct mtd_write_req is not currently used in any similarly flawed safety check, also truncate it to 32 bits, for consistency with the 'len' field and with other MTD routines handling OOB data. Update include/uapi/mtd/mtd-abi.h accordingly. Suggested-by: Richard Weinberger <richard@nod.at> Signed-off-by: Michał Kępień <kernel@kempniu.pl> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> Link: https://lore.kernel.org/linux-mtd/20220516070601.11428-2-kernel@kempniu.pl		2022-06-09 15:03:32 +02:00
..
inftl-user.h	License cleanup: add SPDX license identifier to uapi header files with no license	2017-11-02 11:19:54 +01:00
mtd-abi.h	mtdchar: prevent integer overflow in a safety check	2022-06-09 15:03:32 +02:00
mtd-user.h	License cleanup: add SPDX license identifier to uapi header files with a license	2017-11-02 11:20:11 +01:00
nftl-user.h	License cleanup: add SPDX license identifier to uapi header files with a license	2017-11-02 11:20:11 +01:00
ubi-user.h	ubi: Expose the bitrot interface	2019-02-24 11:40:45 +01:00