| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6b4f7a14-297f-4fc7-bc4b-a9e7d822fb23@stanley.mountain>
Date: Sat, 7 Dec 2024 20:05:43 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Zhihao Cheng <chengzhihao1@...wei.com>
Cc: Michał Kępień <kernel@...pniu.pl>,
Miquel Raynal <miquel.raynal@...tlin.com>,
Richard Weinberger <richard@....at>,
Vignesh Raghavendra <vigneshr@...com>,
linux-mtd@...ts.infradead.org, linux-kernel@...r.kernel.org,
kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] mtdchar: fix integer overflow in read/write ioctls
On Sat, Dec 07, 2024 at 12:17:33PM +0800, Zhihao Cheng wrote:
> 在 2024/12/7 4:26, Dan Carpenter 写道:
> > The "req.start" and "req.len" variables are u64 values that come from the
> > user at the start of the function. We mask away the high 32 bits of
> > "req.len" so that's capped at U32_MAX but the "req.start" variable can go
> > up to U64_MAX.
> >
> > Use check_add_overflow() to fix this bug.
> >
> > Fixes: 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl")
>
> Hi, Dan. Why this fix tag? I think the adding result('req.start' and
> 'req.len') could be overflow too before this commit.
>
I've looked at this again, and I still don't see the bug before the
commit. Secondly, commit a1eda864c04c ("mtdchar: prevent integer
overflow in a safety check") is missing a Fixes tag but the message says
that it's this commit which introduced the bug.
Which commit should get the fixes tag?
I should have added a CC to the stable tree though. I did that correctly
in an earlier draft of this patch but I messed up in this version. :/
regards,
dan carpenter
Powered by blists - more mailing lists