* [PATCH] mtdchar: fix overflows in adjustment of `count`
@ 2018-07-07 3:37 Jann Horn
2018-07-07 8:44 ` Boris Brezillon
2018-07-18 18:30 ` Boris Brezillon
0 siblings, 2 replies; 5+ messages in thread
From: Jann Horn @ 2018-07-07 3:37 UTC (permalink / raw)
To: David Woodhouse, Brian Norris, Boris Brezillon, Marek Vasut,
Richard Weinberger, jannh
Cc: linux-mtd, linux-kernel
The first checks in mtdchar_read() and mtdchar_write() attempt to limit
`count` such that `*ppos + count <= mtd->size`. However, they ignore the
possibility of `*ppos > mtd->size`, allowing the calculation of `count` to
wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the
pread/pwrite syscalls bypass this.
I haven't found any codepath on which this actually causes dangerous
behavior, but it seems like a sensible change anyway.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
---
drivers/mtd/mtdchar.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
index cd67c85cc87d..02389528f622 100644
--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -160,8 +160,12 @@ static ssize_t mtdchar_read(struct file *file, char __user *buf, size_t count,
pr_debug("MTD_read\n");
- if (*ppos + count > mtd->size)
- count = mtd->size - *ppos;
+ if (*ppos + count > mtd->size) {
+ if (*ppos < mtd->size)
+ count = mtd->size - *ppos;
+ else
+ count = 0;
+ }
if (!count)
return 0;
@@ -246,7 +250,7 @@ static ssize_t mtdchar_write(struct file *file, const char __user *buf, size_t c
pr_debug("MTD_write\n");
- if (*ppos == mtd->size)
+ if (*ppos >= mtd->size)
return -ENOSPC;
if (*ppos + count > mtd->size)
--
2.18.0.203.gfac676dfb9-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] mtdchar: fix overflows in adjustment of `count` 2018-07-07 3:37 [PATCH] mtdchar: fix overflows in adjustment of `count` Jann Horn @ 2018-07-07 8:44 ` Boris Brezillon 2018-07-07 9:03 ` Jann Horn 2018-07-18 18:30 ` Boris Brezillon 1 sibling, 1 reply; 5+ messages in thread From: Boris Brezillon @ 2018-07-07 8:44 UTC (permalink / raw) To: Jann Horn Cc: David Woodhouse, Brian Norris, Marek Vasut, Richard Weinberger, linux-mtd, linux-kernel On Sat, 7 Jul 2018 05:37:22 +0200 Jann Horn <jannh@google.com> wrote: > The first checks in mtdchar_read() and mtdchar_write() attempt to limit > `count` such that `*ppos + count <= mtd->size`. However, they ignore the > possibility of `*ppos > mtd->size`, allowing the calculation of `count` to > wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the > pread/pwrite syscalls bypass this. > > I haven't found any codepath on which this actually causes dangerous > behavior, but it seems like a sensible change anyway. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Jann Horn <jannh@google.com> > --- > drivers/mtd/mtdchar.c | 10 +++++++--- > 1 file changed, 7 insertions(+), 3 deletions(-) > > diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c > index cd67c85cc87d..02389528f622 100644 > --- a/drivers/mtd/mtdchar.c > +++ b/drivers/mtd/mtdchar.c > @@ -160,8 +160,12 @@ static ssize_t mtdchar_read(struct file *file, char __user *buf, size_t count, > > pr_debug("MTD_read\n"); > > - if (*ppos + count > mtd->size) > - count = mtd->size - *ppos; > + if (*ppos + count > mtd->size) { > + if (*ppos < mtd->size) > + count = mtd->size - *ppos; > + else > + count = 0; > + } Hm, shouldn't we return -ERANGE or -EINVAL if *ppos >= mtd->size? > > if (!count) > return 0; > @@ -246,7 +250,7 @@ static ssize_t mtdchar_write(struct file *file, const char __user *buf, size_t c > > pr_debug("MTD_write\n"); > > - if (*ppos == mtd->size) > + if (*ppos >= mtd->size) > return -ENOSPC; > > if (*ppos + count > mtd->size) ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] mtdchar: fix overflows in adjustment of `count` 2018-07-07 8:44 ` Boris Brezillon @ 2018-07-07 9:03 ` Jann Horn 2018-07-08 12:45 ` Boris Brezillon 0 siblings, 1 reply; 5+ messages in thread From: Jann Horn @ 2018-07-07 9:03 UTC (permalink / raw) To: boris.brezillon Cc: dwmw2, computersforpeace, marek.vasut, richard, linux-mtd, kernel list, Linux API +cc linux-api On Sat, Jul 7, 2018 at 10:44 AM Boris Brezillon <boris.brezillon@bootlin.com> wrote: > > On Sat, 7 Jul 2018 05:37:22 +0200 > Jann Horn <jannh@google.com> wrote: > > > The first checks in mtdchar_read() and mtdchar_write() attempt to limit > > `count` such that `*ppos + count <= mtd->size`. However, they ignore the > > possibility of `*ppos > mtd->size`, allowing the calculation of `count` to > > wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the > > pread/pwrite syscalls bypass this. > > > > I haven't found any codepath on which this actually causes dangerous > > behavior, but it seems like a sensible change anyway. > > > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > > Signed-off-by: Jann Horn <jannh@google.com> > > --- > > drivers/mtd/mtdchar.c | 10 +++++++--- > > 1 file changed, 7 insertions(+), 3 deletions(-) > > > > diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c > > index cd67c85cc87d..02389528f622 100644 > > --- a/drivers/mtd/mtdchar.c > > +++ b/drivers/mtd/mtdchar.c > > @@ -160,8 +160,12 @@ static ssize_t mtdchar_read(struct file *file, char __user *buf, size_t count, > > > > pr_debug("MTD_read\n"); > > > > - if (*ppos + count > mtd->size) > > - count = mtd->size - *ppos; > > + if (*ppos + count > mtd->size) { > > + if (*ppos < mtd->size) > > + count = mtd->size - *ppos; > > + else > > + count = 0; > > + } > > Hm, shouldn't we return -ERANGE or -EINVAL if *ppos >= mtd->size? Hmm, good question. The pread() manpage says that pread() can return the same errors as lseek(), and the lseek() manpage says that -EINVAL is for when you're trying to seek beyond the end of a seekable device. So from the documentation, it sounds as if you're right. But testing pread() beyond end of file for various things on my machine seems to just return 0: # cat pread.c #include <unistd.h> #include <stdlib.h> int main(int argc, char **argv) { char buf[0x1000]; off_t off = strtoul(argv[1], NULL, 0); pread(0, buf, 0x1000, off); } # gcc -o pread pread.c # strace -e trace=pread64 ./pread 200000000 < /dev/sda1 pread64(0, "", 4096, 200000000) = 0 +++ exited with 0 +++ # strace -e trace=pread64 ./pread 100000 < /sys/kernel/debug/x86/tlb_single_page_flush_ceiling pread64(0, "", 4096, 100000) = 0 +++ exited with 0 +++ # strace -e trace=pread64 ./pread 20000000000 < /dev/dm-2 pread64(0, "", 4096, 20000000000) = 0 +++ exited with 0 +++ Do you know of precedent for returning -EINVAL if *ppos is beyond the end of the device? > > > > if (!count) > > return 0; > > @@ -246,7 +250,7 @@ static ssize_t mtdchar_write(struct file *file, const char __user *buf, size_t c > > > > pr_debug("MTD_write\n"); > > > > - if (*ppos == mtd->size) > > + if (*ppos >= mtd->size) > > return -ENOSPC; > > > > if (*ppos + count > mtd->size) > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] mtdchar: fix overflows in adjustment of `count` 2018-07-07 9:03 ` Jann Horn @ 2018-07-08 12:45 ` Boris Brezillon 0 siblings, 0 replies; 5+ messages in thread From: Boris Brezillon @ 2018-07-08 12:45 UTC (permalink / raw) To: Jann Horn Cc: richard, kernel list, marek.vasut, linux-mtd, Linux API, computersforpeace, dwmw2 On Sat, 7 Jul 2018 11:03:00 +0200 Jann Horn <jannh@google.com> wrote: > +cc linux-api > > On Sat, Jul 7, 2018 at 10:44 AM Boris Brezillon > <boris.brezillon@bootlin.com> wrote: > > > > On Sat, 7 Jul 2018 05:37:22 +0200 > > Jann Horn <jannh@google.com> wrote: > > > > > The first checks in mtdchar_read() and mtdchar_write() attempt to limit > > > `count` such that `*ppos + count <= mtd->size`. However, they ignore the > > > possibility of `*ppos > mtd->size`, allowing the calculation of `count` to > > > wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the > > > pread/pwrite syscalls bypass this. > > > > > > I haven't found any codepath on which this actually causes dangerous > > > behavior, but it seems like a sensible change anyway. > > > > > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > > > Signed-off-by: Jann Horn <jannh@google.com> > > > --- > > > drivers/mtd/mtdchar.c | 10 +++++++--- > > > 1 file changed, 7 insertions(+), 3 deletions(-) > > > > > > diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c > > > index cd67c85cc87d..02389528f622 100644 > > > --- a/drivers/mtd/mtdchar.c > > > +++ b/drivers/mtd/mtdchar.c > > > @@ -160,8 +160,12 @@ static ssize_t mtdchar_read(struct file *file, char __user *buf, size_t count, > > > > > > pr_debug("MTD_read\n"); > > > > > > - if (*ppos + count > mtd->size) > > > - count = mtd->size - *ppos; > > > + if (*ppos + count > mtd->size) { > > > + if (*ppos < mtd->size) > > > + count = mtd->size - *ppos; > > > + else > > > + count = 0; > > > + } > > > > Hm, shouldn't we return -ERANGE or -EINVAL if *ppos >= mtd->size? > > Hmm, good question. > The pread() manpage says that pread() can return the same errors as > lseek(), and the lseek() manpage says that -EINVAL is for when you're > trying to seek beyond the end of a seekable device. So from the > documentation, it sounds as if you're right. > But testing pread() beyond end of file for various things on my > machine seems to just return 0: > > # cat pread.c > #include <unistd.h> > #include <stdlib.h> > int main(int argc, char **argv) { > char buf[0x1000]; > off_t off = strtoul(argv[1], NULL, 0); > pread(0, buf, 0x1000, off); > } > # gcc -o pread pread.c > # strace -e trace=pread64 ./pread 200000000 < /dev/sda1 > pread64(0, "", 4096, 200000000) = 0 > +++ exited with 0 +++ > # strace -e trace=pread64 ./pread 100000 < > /sys/kernel/debug/x86/tlb_single_page_flush_ceiling > pread64(0, "", 4096, 100000) = 0 > +++ exited with 0 +++ > # strace -e trace=pread64 ./pread 20000000000 < /dev/dm-2 > pread64(0, "", 4096, 20000000000) = 0 > +++ exited with 0 +++ > > Do you know of precedent for returning -EINVAL if *ppos is beyond the > end of the device? Nope, it just made more sense to me than returning 0. Anyway, let's keep the most common behavior, even if it's not documented this way ;-). > > > > > > > if (!count) > > > return 0; > > > @@ -246,7 +250,7 @@ static ssize_t mtdchar_write(struct file *file, const char __user *buf, size_t c > > > > > > pr_debug("MTD_write\n"); > > > > > > - if (*ppos == mtd->size) > > > + if (*ppos >= mtd->size) > > > return -ENOSPC; > > > > > > if (*ppos + count > mtd->size) > > > > ______________________________________________________ > Linux MTD discussion mailing list > http://lists.infradead.org/mailman/listinfo/linux-mtd/ ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] mtdchar: fix overflows in adjustment of `count` 2018-07-07 3:37 [PATCH] mtdchar: fix overflows in adjustment of `count` Jann Horn 2018-07-07 8:44 ` Boris Brezillon @ 2018-07-18 18:30 ` Boris Brezillon 1 sibling, 0 replies; 5+ messages in thread From: Boris Brezillon @ 2018-07-18 18:30 UTC (permalink / raw) To: Jann Horn Cc: David Woodhouse, Brian Norris, Marek Vasut, Richard Weinberger, linux-mtd, linux-kernel On Sat, 7 Jul 2018 05:37:22 +0200 Jann Horn <jannh@google.com> wrote: > The first checks in mtdchar_read() and mtdchar_write() attempt to limit > `count` such that `*ppos + count <= mtd->size`. However, they ignore the > possibility of `*ppos > mtd->size`, allowing the calculation of `count` to > wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the > pread/pwrite syscalls bypass this. > > I haven't found any codepath on which this actually causes dangerous > behavior, but it seems like a sensible change anyway. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Jann Horn <jannh@google.com> Applied. Thanks, Boris > --- > drivers/mtd/mtdchar.c | 10 +++++++--- > 1 file changed, 7 insertions(+), 3 deletions(-) > > diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c > index cd67c85cc87d..02389528f622 100644 > --- a/drivers/mtd/mtdchar.c > +++ b/drivers/mtd/mtdchar.c > @@ -160,8 +160,12 @@ static ssize_t mtdchar_read(struct file *file, char __user *buf, size_t count, > > pr_debug("MTD_read\n"); > > - if (*ppos + count > mtd->size) > - count = mtd->size - *ppos; > + if (*ppos + count > mtd->size) { > + if (*ppos < mtd->size) > + count = mtd->size - *ppos; > + else > + count = 0; > + } > > if (!count) > return 0; > @@ -246,7 +250,7 @@ static ssize_t mtdchar_write(struct file *file, const char __user *buf, size_t c > > pr_debug("MTD_write\n"); > > - if (*ppos == mtd->size) > + if (*ppos >= mtd->size) > return -ENOSPC; > > if (*ppos + count > mtd->size) ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-07-18 18:31 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-07-07 3:37 [PATCH] mtdchar: fix overflows in adjustment of `count` Jann Horn 2018-07-07 8:44 ` Boris Brezillon 2018-07-07 9:03 ` Jann Horn 2018-07-08 12:45 ` Boris Brezillon 2018-07-18 18:30 ` Boris Brezillon
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox