linux-kernel - Re: [PATCH] mtd: rawnand: mtk: avoid underflow in mtk_nfc_nand_chip

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date:   Thu, 17 Sep 2020 18:30:01 +0200
From:   Miquel Raynal <miquel.raynal@...tlin.com>
To:     Evgeny Novikov <novikov@...ras.ru>
Cc:     Richard Weinberger <richard@....at>,
        Vignesh Raghavendra <vigneshr@...com>,
        Matthias Brugger <matthias.bgg@...il.com>,
        Boris Brezillon <boris.brezillon@...labora.com>,
        "Gustavo A. R. Silva" <gustavo@...eddedor.com>,
        Masahiro Yamada <yamada.masahiro@...ionext.com>,
        Stephen Boyd <swboyd@...omium.org>,
        linux-mtd@...ts.infradead.org,
        linux-arm-kernel@...ts.infradead.org,
        linux-mediatek@...ts.infradead.org, linux-kernel@...r.kernel.org,
        ldv-project@...uxtesting.org
Subject: Re: [PATCH] mtd: rawnand: mtk: avoid underflow in
 mtk_nfc_nand_chip_init()

Hi Evgeny,

Evgeny Novikov <novikov@...ras.ru> wrote on Wed, 16 Sep 2020 22:40:45
+0300:

> If of_get_property() will set nsels to negative values the driver may

Is this really a possible case?

Looking at the OF code, I don't think it can ever happen...

> allocate insufficient memory for chip. Moreover, there may be underflow
> for devm_kzalloc(). This can result in various bad consequences later.
> The patch causes mtk_nfc_nand_chip_init() to fail for negative values of
> nsels.
> 
> Found by Linux Driver Verification project (linuxtesting.org).
> 
> Signed-off-by: Evgeny Novikov <novikov@...ras.ru>
> ---
>  drivers/mtd/nand/raw/mtk_nand.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/mtd/nand/raw/mtk_nand.c b/drivers/mtd/nand/raw/mtk_nand.c
> index ad1b55dab211..df98a2eec240 100644
> --- a/drivers/mtd/nand/raw/mtk_nand.c
> +++ b/drivers/mtd/nand/raw/mtk_nand.c
> @@ -1376,7 +1376,7 @@ static int mtk_nfc_nand_chip_init(struct device *dev, struct mtk_nfc *nfc,
>  		return -ENODEV;
>  
>  	nsels /= sizeof(u32);
> -	if (!nsels || nsels > MTK_NAND_MAX_NSELS) {
> +	if (nsels <= 0 || nsels > MTK_NAND_MAX_NSELS) {
>  		dev_err(dev, "invalid reg property size %d\n", nsels);
>  		return -EINVAL;
>  	}

Thanks,
Miquèl