Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752448AbdI0MtX (ORCPT ); Wed, 27 Sep 2017 08:49:23 -0400 Received: from mail-wm0-f68.google.com ([74.125.82.68]:44493 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752762AbdI0MtT (ORCPT ); Wed, 27 Sep 2017 08:49:19 -0400 X-Google-Smtp-Source: AOwi7QA3+VXFTakZ/P3XTMY1RkR4ivoFTIzgFxn/NO5Ua2rm9ZEiNtt2WY+RWCFt1Oj9gziyLzWRwg== Message-ID: <1506516557.19393.5.camel@gmail.com> Subject: [PATCH] mtd: nand: atmel: fix buffer overflow in atmel_pmecc_user From: Richard Genoud To: Boris Brezillon Cc: Richard Genoud , Nicolas Ferre , linux-mtd , Linux Kernel Date: Wed, 27 Sep 2017 14:49:17 +0200 Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6-1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1215 Lines: 28 When calculating the size needed by struct atmel_pmecc_user *user, the dmu and delta buffer sizes were forgotten. This lead to a memory corruption (especially with a large ecc_strength). Link: http://lkml.kernel.org/r/1506503157.3016.5.camel@gmail.com Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") Cc: Nicolas Ferre Cc: stable@vger.kernel.org Reported-by: Richard Genoud Pointed-at-by: Boris Brezillon Signed-off-by: Richard Genoud --- drivers/mtd/nand/atmel/pmecc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/atmel/pmecc.c b/drivers/mtd/nand/atmel/pmecc.c index 146af8218314..8268636675ef 100644 --- a/drivers/mtd/nand/atmel/pmecc.c +++ b/drivers/mtd/nand/atmel/pmecc.c @@ -363,7 +363,7 @@ atmel_pmecc_create_user(struct atmel_pmecc *pmecc, size += (req->ecc.strength + 1) * sizeof(u16); /* Reserve space for mu, dmu and delta. */ size = ALIGN(size, sizeof(s32)); - size += (req->ecc.strength + 1) * sizeof(s32); + size += (req->ecc.strength + 1) * sizeof(s32) * 3; user = kzalloc(size, GFP_KERNEL); if (!user)