| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Feb 2022 10:18:56 +0100 (CET)
From: Richard Weinberger <richard@....at>
To: Michał Kępień <kernel@...pniu.pl>
Cc: Miquel Raynal <miquel.raynal@...tlin.com>,
Vignesh Raghavendra <vigneshr@...com>,
Boris Brezillon <boris.brezillon@...labora.com>,
linux-mtd <linux-mtd@...ts.infradead.org>,
linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v3 4/4] mtdchar: add MEMREAD ioctl
Michał,
----- Ursprüngliche Mail -----
> Von: "Michał Kępień" <kernel@...pniu.pl>
> An: "Miquel Raynal" <miquel.raynal@...tlin.com>, "richard" <richard@....at>, "Vignesh Raghavendra" <vigneshr@...com>
> CC: "Boris Brezillon" <boris.brezillon@...labora.com>, "linux-mtd" <linux-mtd@...ts.infradead.org>, "linux-kernel"
> <linux-kernel@...r.kernel.org>
> Gesendet: Dienstag, 25. Januar 2022 11:48:22
> Betreff: [PATCH v3 4/4] mtdchar: add MEMREAD ioctl
> + if (req.start + req.len > mtd->size) {
I think this can overflow since both req.start and req.len are u64.
So an evil-doer might bypass this check.
> + ret = -EINVAL;
> + goto out;
> + }
> +
> + datbuf_len = min_t(size_t, req.len, mtd->erasesize);
> + if (datbuf_len > 0) {
> + datbuf = kmalloc(datbuf_len, GFP_KERNEL);
If mtd->erasesize is large (which is not uncommon these days) you might
request more from kmalloc() than it can serve.
Maybe kvmalloc() makes more sense?
> + if (!datbuf) {
> + ret = -ENOMEM;
> + goto out;
> + }
> + }
> +
> + oobbuf_len = min_t(size_t, req.ooblen, mtd->erasesize);
> + if (oobbuf_len > 0) {
> + oobbuf = kmalloc(oobbuf_len, GFP_KERNEL);
Same.
Thanks,
//richard
Powered by blists - more mailing lists