From: Kees Cook <kees@kernel.org>
To: Finn Thain <fthain@linux-m68k.org>
Cc: Miquel Raynal <miquel.raynal@bootlin.com>,
Richard Weinberger <richard@nod.at>,
Vignesh Raghavendra <vigneshr@ti.com>,
Miguel Ojeda <ojeda@kernel.org>,
stable@vger.kernel.org, linux-hardening@vger.kernel.org,
linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mtd: Avoid boot crash in RedBoot partition table parser
Date: Sun, 15 Feb 2026 19:48:08 -0800 [thread overview]
Message-ID: <202602151911.AD092DFFCD@keescook> (raw)
In-Reply-To: <92af570970aadee773f2b0b18179efef0f34be93.1771114891.git.fthain@linux-m68k.org>
On Sun, Feb 15, 2026 at 11:21:31AM +1100, Finn Thain wrote:
> memcmp: detected buffer overflow: 15 byte read of buffer size 14
> [...]
> - !memcmp(names, "RedBoot config", 15) ||
The warning is saying that "names" is detected to be 14 bytes in size. It
is allocated here, and nulllen can be ignored (it is fixed size, either 0
or sizeof(nullstring), and skipped over):
parts = kzalloc(sizeof(*parts) * nrparts + nulllen + namelen, GFP_KERNEL);
...
nullname = (char *)&parts[nrparts];
...
names = nullname + nulllen;
so "names" is pointing to the final "namelen" many bytes of the
allocation. Calculating "namelen" happens via an earlier for loop:
buf = vmalloc(master->erasesize);
...
ret = mtd_read(master, offset, master->erasesize, &retlen,
(void *)buf);
...
numslots = (master->erasesize / sizeof(struct fis_image_desc));
...
for (i = 0; i < numslots; i++) {
...
namelen += strlen(buf[i].name) + 1;
So namelen could be basically any length at all. This fortify warning
looks legit to me -- this code used to be reading beyond the end of
the allocation.
Your patch looks technically correct, but why not just use strcmp? Both
arguments are NUL-terminated. The memcmp() calls were all including the
NUL byte, so they're effectively doing strcmp except that they weren't
stopping at the first NUL byte. So probably just better to do:
diff --git a/drivers/mtd/parsers/redboot.c b/drivers/mtd/parsers/redboot.c
index 3b55b676ca6b..c06ba7a2a34b 100644
--- a/drivers/mtd/parsers/redboot.c
+++ b/drivers/mtd/parsers/redboot.c
@@ -270,9 +270,9 @@ static int parse_redboot_partitions(struct mtd_info *master,
strcpy(names, fl->img->name);
#ifdef CONFIG_MTD_REDBOOT_PARTS_READONLY
- if (!memcmp(names, "RedBoot", 8) ||
- !memcmp(names, "RedBoot config", 15) ||
- !memcmp(names, "FIS directory", 14)) {
+ if (!strcmp(names, "RedBoot") ||
+ !strcmp(names, "RedBoot config") ||
+ !strcmp(names, "FIS directory")) {
parts[i].mask_flags = MTD_WRITEABLE;
}
#endif
--
Kees Cook
prev parent reply other threads:[~2026-02-16 3:48 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-15 0:21 [PATCH] mtd: Avoid boot crash in RedBoot partition table parser Finn Thain
2026-02-16 3:48 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202602151911.AD092DFFCD@keescook \
--to=kees@kernel.org \
--cc=fthain@linux-m68k.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=miquel.raynal@bootlin.com \
--cc=ojeda@kernel.org \
--cc=richard@nod.at \
--cc=stable@vger.kernel.org \
--cc=vigneshr@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox