| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aSW0-9cJcTMTynTj@stanley.mountain>
Date: Tue, 25 Nov 2025 16:54:03 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Mike Rapoport <rppt@...nel.org>
Cc: Dan Williams <dan.j.williams@...el.com>,
Vishal Verma <vishal.l.verma@...el.com>,
Dave Jiang <dave.jiang@...el.com>, Ira Weiny <ira.weiny@...el.com>,
nvdimm@...ts.linux.dev, linux-kernel@...r.kernel.org,
kernel-janitors@...r.kernel.org
Subject: [PATCH next] nvdimm: Prevent integer overflow in
ramdax_get_config_data()
The "cmd->in_offset" variable comes from the user via the __nd_ioctl()
function. The problem is that the "cmd->in_offset + cmd->in_length"
addition could have an integer wrapping issue if cmd->in_offset is close
to UINT_MAX . The "cmd->in_length" variable has been capped, but the
"cmd->in_offset" variable has not. Both of these variables are type u32.
Fixes: 43bc0aa19a21 ("nvdimm: allow exposing RAM carveouts as NVDIMM DIMM devices")
Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
---
drivers/nvdimm/ramdax.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvdimm/ramdax.c b/drivers/nvdimm/ramdax.c
index 63cf05791829..faa6f3101972 100644
--- a/drivers/nvdimm/ramdax.c
+++ b/drivers/nvdimm/ramdax.c
@@ -143,7 +143,7 @@ static int ramdax_get_config_data(struct nvdimm *nvdimm, int buf_len,
return -EINVAL;
if (struct_size(cmd, out_buf, cmd->in_length) > buf_len)
return -EINVAL;
- if (cmd->in_offset + cmd->in_length > LABEL_AREA_SIZE)
+ if (size_add(cmd->in_offset, cmd->in_length) > LABEL_AREA_SIZE)
return -EINVAL;
memcpy(cmd->out_buf, dimm->label_area + cmd->in_offset, cmd->in_length);
--
2.51.0
Powered by blists - more mailing lists