• Michał Kępień's avatar
    mtdchar: prevent integer overflow in a safety check · a1eda864
    Michał Kępień authored
    Commit 6420ac0a ("mtdchar: prevent unbounded allocation in MEMWRITE
    ioctl") added a safety check to mtdchar_write_ioctl() which attempts to
    ensure that the write request sent by user space does not extend beyond
    the MTD device's size.  However, that check contains an addition of two
    struct mtd_write_req fields, 'start' and 'len', both of which are u64
    variables.  The result of that addition can overflow, allowing the
    safety check to be bypassed.
    
    The arguably simplest fix - changing the data types of the relevant
    struct mtd_write_req fields - is not feasible as it would break user
    space.
    
    Fix by making mtdchar_write_ioctl() truncate the value provided by user
    space in the 'len' field of struct mtd_write_req, so that only the lower
    32 bits of that field are used, preventing the overflow.
    
    While the 'ooblen' field of struct mtd_write_req is not currently used
    in any similarly flawed safety check, also truncate it to 32 bits, for
    consistency with the 'len' field and with other MTD routines handling
    OOB data.
    
    Update include/uapi/mtd/mtd-abi.h accordingly.
    Suggested-by: default avatarRichard Weinberger <richard@nod.at>
    Signed-off-by: default avatarMichał Kępień <kernel@kempniu.pl>
    Signed-off-by: default avatarMiquel Raynal <miquel.raynal@bootlin.com>
    Link: https://lore.kernel.org/linux-mtd/20220516070601.11428-2-kernel@kempniu.pl
    a1eda864
mtdchar.c 27.8 KB