| commit | 6c6bc9ea84d0008024606bf5ba10519e20d851bf | |
| author | Jann Horn <jannh@google.com> | |
| Sat, 7 Jul 2018 03:37:22 +0000 (7 05:37 +0200) | ||
| committer | Boris Brezillon <boris.brezillon@bootlin.com> | |
| Wed, 18 Jul 2018 14:46:38 +0000 (18 16:46 +0200) | ||
| tree | d8a2b9ee1739402d40438324bb4f825a151f9394 | treesnapshot (tar.gz zip) |
| parent | 89fd23efa0d7934ed9ec93c77486a047759d6543 | commitdiff |
mtdchar: fix overflows in adjustment of `count`
The first checks in mtdchar_read() and mtdchar_write() attempt to limit
`count` such that `*ppos + count <= mtd->size`. However, they ignore the
possibility of `*ppos > mtd->size`, allowing the calculation of `count` to
wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the
pread/pwrite syscalls bypass this.
I haven't found any codepath on which this actually causes dangerous
behavior, but it seems like a sensible change anyway.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
The first checks in mtdchar_read() and mtdchar_write() attempt to limit
`count` such that `*ppos + count <= mtd->size`. However, they ignore the
possibility of `*ppos > mtd->size`, allowing the calculation of `count` to
wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the
pread/pwrite syscalls bypass this.
I haven't found any codepath on which this actually causes dangerous
behavior, but it seems like a sensible change anyway.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
| drivers/mtd/mtdchar.c | diffblobblamehistory |