lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 16 Sep 2020 22:40:45 +0300
From:   Evgeny Novikov <novikov@...ras.ru>
To:     Miquel Raynal <miquel.raynal@...tlin.com>
Cc:     Evgeny Novikov <novikov@...ras.ru>,
        Richard Weinberger <richard@....at>,
        Vignesh Raghavendra <vigneshr@...com>,
        Matthias Brugger <matthias.bgg@...il.com>,
        Boris Brezillon <boris.brezillon@...labora.com>,
        "Gustavo A. R. Silva" <gustavo@...eddedor.com>,
        Masahiro Yamada <yamada.masahiro@...ionext.com>,
        Stephen Boyd <swboyd@...omium.org>,
        linux-mtd@...ts.infradead.org,
        linux-arm-kernel@...ts.infradead.org,
        linux-mediatek@...ts.infradead.org, linux-kernel@...r.kernel.org,
        ldv-project@...uxtesting.org
Subject: [PATCH] mtd: rawnand: mtk: avoid underflow in mtk_nfc_nand_chip_init()

If of_get_property() will set nsels to negative values the driver may
allocate insufficient memory for chip. Moreover, there may be underflow
for devm_kzalloc(). This can result in various bad consequences later.
The patch causes mtk_nfc_nand_chip_init() to fail for negative values of
nsels.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Evgeny Novikov <novikov@...ras.ru>
---
 drivers/mtd/nand/raw/mtk_nand.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mtd/nand/raw/mtk_nand.c b/drivers/mtd/nand/raw/mtk_nand.c
index ad1b55dab211..df98a2eec240 100644
--- a/drivers/mtd/nand/raw/mtk_nand.c
+++ b/drivers/mtd/nand/raw/mtk_nand.c
@@ -1376,7 +1376,7 @@ static int mtk_nfc_nand_chip_init(struct device *dev, struct mtk_nfc *nfc,
 		return -ENODEV;
 
 	nsels /= sizeof(u32);
-	if (!nsels || nsels > MTK_NAND_MAX_NSELS) {
+	if (nsels <= 0 || nsels > MTK_NAND_MAX_NSELS) {
 		dev_err(dev, "invalid reg property size %d\n", nsels);
 		return -EINVAL;
 	}
-- 
2.26.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ