[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <87qzvogksw.fsf@bootlin.com>
Date: Tue, 30 Sep 2025 14:57:19 +0200
From: Miquel Raynal <miquel.raynal@...tlin.com>
To: Dan Carpenter <dan.carpenter@...aro.org>
Cc: Michał Kępień <kernel@...pniu.pl>, Richard
Weinberger <richard@....at>,
Vignesh Raghavendra <vigneshr@...com>, linux-mtd@...ts.infradead.org,
linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: [PATCH v2 resend] mtdchar: fix integer overflow in read/write
ioctls
Hi Dan,
On 30/09/2025 at 15:32:34 +03, Dan Carpenter <dan.carpenter@...aro.org> wrote:
> The "req.start" and "req.len" variables are u64 values that come from the
> user at the start of the function. We mask away the high 32 bits of
> "req.len" so that's capped at U32_MAX but the "req.start" variable can go
> up to U64_MAX which means that the addition can still integer overflow.
>
> Use check_add_overflow() to fix this bug.
>
> Fixes: 095bb6e44eb1 ("mtdchar: add MEMREAD ioctl")
> Fixes: 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl")
> Cc: stable@...r.kernel.org
> Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
> ---
> v2: fix the tags.
> RESEND: I sent this last year but it wasn't applied.
> https://lore.kernel.org/all/Z1ax3K3-zSJExPNV@stanley.mountain/
I don't know why, perhaps it got filtered as SPAM, I don't know, but I'm
sorry about that.
I've just "closed" next, so I'll queue this in a fixes PR on top of
v5.18-rc1.
Thanks,
Miquèl
Powered by blists - more mailing lists