lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Mar 2017 17:19:12 +0200 From: Boris Brezillon <boris.brezillon@...e-electrons.com> To: chenwy <chenwy-fnst@...fujitsu.com> Cc: <linux-mtd@...ts.infradead.org>, fnstml-fjl@...fujitsu.com, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2] mtdram: check offs and len where appropriate On Fri, 17 Mar 2017 10:29:39 +0800 chenwy <chenwy-fnst@...fujitsu.com> wrote: > We should prevent user to operating mtd device with > an illegal offset or length. I realize that all the tests you do here are already done in mtdcore.c. If one is missing, please patch mtdcore.c instead. Thanks, Boris > > Signed-off-by: Chen Wenyong <chenwy-fnst@...fujitsu.com> > --- > drivers/mtd/devices/mtdram.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > > diff --git a/drivers/mtd/devices/mtdram.c b/drivers/mtd/devices/mtdram.c > index cbd8547..83e1603 100644 > --- a/drivers/mtd/devices/mtdram.c > +++ b/drivers/mtd/devices/mtdram.c > @@ -58,6 +58,10 @@ static int ram_erase(struct mtd_info *mtd, struct erase_info *instr) > { > if (check_offs_len(mtd, instr->addr, instr->len)) > return -EINVAL; > + if (mtd->size < (instr->len + instr->addr) || instr->addr < 0 > + || instr->len < 0) > + return -EINVAL; > + > memset((char *)mtd->priv + instr->addr, 0xff, instr->len); > instr->state = MTD_ERASE_DONE; > mtd_erase_callback(instr); > @@ -67,6 +71,9 @@ static int ram_erase(struct mtd_info *mtd, struct erase_info *instr) > static int ram_point(struct mtd_info *mtd, loff_t from, size_t len, > size_t *retlen, void **virt, resource_size_t *phys) > { > + if (mtd->size < (len + from) || from < 0 || len < 0) > + return -EINVAL; > + > *virt = mtd->priv + from; > *retlen = len; > return 0; > @@ -74,6 +81,9 @@ static int ram_point(struct mtd_info *mtd, loff_t from, size_t len, > > static int ram_unpoint(struct mtd_info *mtd, loff_t from, size_t len) > { > + if (mtd->size < (len + from) || from < 0 || len < 0) > + return -EINVAL; > + > return 0; > } > > @@ -93,6 +103,9 @@ static unsigned long ram_get_unmapped_area(struct mtd_info *mtd, > static int ram_read(struct mtd_info *mtd, loff_t from, size_t len, > size_t *retlen, u_char *buf) > { > + if (mtd->size < (len + from) || from < 0 || len < 0) > + return -EINVAL; > + > memcpy(buf, mtd->priv + from, len); > *retlen = len; > return 0; > @@ -101,6 +114,9 @@ static int ram_read(struct mtd_info *mtd, loff_t from, size_t len, > static int ram_write(struct mtd_info *mtd, loff_t to, size_t len, > size_t *retlen, const u_char *buf) > { > + if (mtd->size < (len + to) || to < 0 || len < 0) > + return -EINVAL; > + > memcpy((char *)mtd->priv + to, buf, len); > *retlen = len; > return 0;
Powered by blists - more mailing lists