Commit 6c6bc9ea authored Jul 07, 2018 by Jann Horn Committed by Boris Brezillon Jul 18, 2018

mtdchar: fix overflows in adjustment of `count`



The first checks in mtdchar_read() and mtdchar_write() attempt to limit
`count` such that `*ppos + count <= mtd->size`. However, they ignore the
possibility of `*ppos > mtd->size`, allowing the calculation of `count` to
wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the
pread/pwrite syscalls bypass this.

I haven't found any codepath on which this actually causes dangerous
behavior, but it seems like a sensible change anyway.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>

parent 89fd23ef

drivers/mtd/mtdchar.c

+7 −3

Original line number	Diff line number	Diff line
		@@ -160,8 +160,12 @@ static ssize_t mtdchar_read(struct file file, char __user buf, size_t count,

		pr_debug("MTD_read\n");

		if (*ppos + count > mtd->size)
		if (*ppos + count > mtd->size) {
		if (*ppos < mtd->size)
		count = mtd->size - *ppos;
		else
		count = 0;
		}

		if (!count)
		return 0;
		@@ -246,7 +250,7 @@ static ssize_t mtdchar_write(struct file file, const char __user buf, size_t c

		pr_debug("MTD_write\n");

		if (*ppos == mtd->size)
		if (*ppos >= mtd->size)
		return -ENOSPC;

		if (*ppos + count > mtd->size)

Admin message