* [PATCH v2 resend] mtdchar: fix integer overflow in read/write ioctls
@ 2025-09-30 12:32 Dan Carpenter
2025-09-30 12:57 ` Miquel Raynal
2025-10-22 9:56 ` Miquel Raynal
0 siblings, 2 replies; 3+ messages in thread
From: Dan Carpenter @ 2025-09-30 12:32 UTC (permalink / raw)
To: Michał Kępień
Cc: Miquel Raynal, Richard Weinberger, Vignesh Raghavendra, linux-mtd,
linux-kernel, kernel-janitors
The "req.start" and "req.len" variables are u64 values that come from the
user at the start of the function. We mask away the high 32 bits of
"req.len" so that's capped at U32_MAX but the "req.start" variable can go
up to U64_MAX which means that the addition can still integer overflow.
Use check_add_overflow() to fix this bug.
Fixes: 095bb6e44eb1 ("mtdchar: add MEMREAD ioctl")
Fixes: 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
v2: fix the tags.
RESEND: I sent this last year but it wasn't applied.
https://lore.kernel.org/all/Z1ax3K3-zSJExPNV@stanley.mountain/
drivers/mtd/mtdchar.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
index 8dc4f5c493fc..335c702633ff 100644
--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -599,6 +599,7 @@ mtdchar_write_ioctl(struct mtd_info *mtd, struct mtd_write_req __user *argp)
uint8_t *datbuf = NULL, *oobbuf = NULL;
size_t datbuf_len, oobbuf_len;
int ret = 0;
+ u64 end;
if (copy_from_user(&req, argp, sizeof(req)))
return -EFAULT;
@@ -618,7 +619,7 @@ mtdchar_write_ioctl(struct mtd_info *mtd, struct mtd_write_req __user *argp)
req.len &= 0xffffffff;
req.ooblen &= 0xffffffff;
- if (req.start + req.len > mtd->size)
+ if (check_add_overflow(req.start, req.len, &end) || end > mtd->size)
return -EINVAL;
datbuf_len = min_t(size_t, req.len, mtd->erasesize);
@@ -698,6 +699,7 @@ mtdchar_read_ioctl(struct mtd_info *mtd, struct mtd_read_req __user *argp)
size_t datbuf_len, oobbuf_len;
size_t orig_len, orig_ooblen;
int ret = 0;
+ u64 end;
if (copy_from_user(&req, argp, sizeof(req)))
return -EFAULT;
@@ -724,7 +726,7 @@ mtdchar_read_ioctl(struct mtd_info *mtd, struct mtd_read_req __user *argp)
req.len &= 0xffffffff;
req.ooblen &= 0xffffffff;
- if (req.start + req.len > mtd->size) {
+ if (check_add_overflow(req.start, req.len, &end) || end > mtd->size) {
ret = -EINVAL;
goto out;
}
--
2.45.2
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH v2 resend] mtdchar: fix integer overflow in read/write ioctls
2025-09-30 12:32 [PATCH v2 resend] mtdchar: fix integer overflow in read/write ioctls Dan Carpenter
@ 2025-09-30 12:57 ` Miquel Raynal
2025-10-22 9:56 ` Miquel Raynal
1 sibling, 0 replies; 3+ messages in thread
From: Miquel Raynal @ 2025-09-30 12:57 UTC (permalink / raw)
To: Dan Carpenter
Cc: Michał Kępień, Richard Weinberger,
Vignesh Raghavendra, linux-mtd, linux-kernel, kernel-janitors
Hi Dan,
On 30/09/2025 at 15:32:34 +03, Dan Carpenter <dan.carpenter@linaro.org> wrote:
> The "req.start" and "req.len" variables are u64 values that come from the
> user at the start of the function. We mask away the high 32 bits of
> "req.len" so that's capped at U32_MAX but the "req.start" variable can go
> up to U64_MAX which means that the addition can still integer overflow.
>
> Use check_add_overflow() to fix this bug.
>
> Fixes: 095bb6e44eb1 ("mtdchar: add MEMREAD ioctl")
> Fixes: 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl")
> Cc: stable@vger.kernel.org
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
> v2: fix the tags.
> RESEND: I sent this last year but it wasn't applied.
> https://lore.kernel.org/all/Z1ax3K3-zSJExPNV@stanley.mountain/
I don't know why, perhaps it got filtered as SPAM, I don't know, but I'm
sorry about that.
I've just "closed" next, so I'll queue this in a fixes PR on top of
v5.18-rc1.
Thanks,
Miquèl
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH v2 resend] mtdchar: fix integer overflow in read/write ioctls
2025-09-30 12:32 [PATCH v2 resend] mtdchar: fix integer overflow in read/write ioctls Dan Carpenter
2025-09-30 12:57 ` Miquel Raynal
@ 2025-10-22 9:56 ` Miquel Raynal
1 sibling, 0 replies; 3+ messages in thread
From: Miquel Raynal @ 2025-10-22 9:56 UTC (permalink / raw)
To: Michał Kępień, Dan Carpenter
Cc: Richard Weinberger, Vignesh Raghavendra, linux-mtd, linux-kernel,
kernel-janitors
On Tue, 30 Sep 2025 15:32:34 +0300, Dan Carpenter wrote:
> The "req.start" and "req.len" variables are u64 values that come from the
> user at the start of the function. We mask away the high 32 bits of
> "req.len" so that's capped at U32_MAX but the "req.start" variable can go
> up to U64_MAX which means that the addition can still integer overflow.
>
> Use check_add_overflow() to fix this bug.
>
> [...]
Applied to mtd/fixes, thanks!
[1/1] mtdchar: fix integer overflow in read/write ioctls
commit: e4185bed738da755b191aa3f2e16e8b48450e1b8
Patche(s) should be available on mtd/linux.git and will be
part of the next PR (provided that no robot complains by then).
Kind regards,
Miquèl
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-10-22 9:57 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-30 12:32 [PATCH v2 resend] mtdchar: fix integer overflow in read/write ioctls Dan Carpenter
2025-09-30 12:57 ` Miquel Raynal
2025-10-22 9:56 ` Miquel Raynal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox