Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752412AbdI0PbL (ORCPT <rfc822;w@1wt.eu>);
        Wed, 27 Sep 2017 11:31:11 -0400
Received: from esa3.microchip.iphmx.com ([68.232.153.233]:14232 "EHLO
        esa3.microchip.iphmx.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751943AbdI0PbK (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 27 Sep 2017 11:31:10 -0400
X-IronPort-AV: E=Sophos;i="5.42,445,1500966000"; 
   d="scan'208";a="7401040"
Subject: Re: [PATCH] mtd: nand: atmel: fix buffer overflow in atmel_pmecc_user
To: Richard Genoud <richard.genoud@gmail.com>,
        Boris Brezillon <boris.brezillon@free-electrons.com>
CC: linux-mtd <linux-mtd@lists.infradead.org>,
        Linux Kernel <linux-kernel@vger.kernel.org>
References: <1506516557.19393.5.camel@gmail.com>
From: Nicolas Ferre <nicolas.ferre@microchip.com>
Organization: microchip
Message-ID: <3ab0ab38-bdd1-0f9c-2fe9-0f006b90e498@microchip.com>
Date: Wed, 27 Sep 2017 17:32:22 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <1506516557.19393.5.camel@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1469
Lines: 42

On 27/09/2017 at 14:49, Richard Genoud wrote:
> When calculating the size needed by struct atmel_pmecc_user *user,
> the dmu and delta buffer sizes were forgotten.
> This lead to a memory corruption (especially with a large ecc_strength).
> 
> Link: http://lkml.kernel.org/r/1506503157.3016.5.camel@gmail.com
> Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
> Cc: Nicolas Ferre <nicolas.ferre@microchip.com>

Yes:
Reviewed-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Thanks Richard and Boris for this quick fix!

Regards,
  Nicolas

> Cc: stable@vger.kernel.org
> Reported-by: Richard Genoud <richard.genoud@gmail.com>
> Pointed-at-by: Boris Brezillon <boris.brezillon@free-electrons.com>
> Signed-off-by: Richard Genoud <richard.genoud@gmail.com>
> ---
>  drivers/mtd/nand/atmel/pmecc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/mtd/nand/atmel/pmecc.c b/drivers/mtd/nand/atmel/pmecc.c
> index 146af8218314..8268636675ef 100644
> --- a/drivers/mtd/nand/atmel/pmecc.c
> +++ b/drivers/mtd/nand/atmel/pmecc.c
> @@ -363,7 +363,7 @@ atmel_pmecc_create_user(struct atmel_pmecc *pmecc,
>  	size += (req->ecc.strength + 1) * sizeof(u16);
>  	/* Reserve space for mu, dmu and delta. */
>  	size = ALIGN(size, sizeof(s32));
> -	size += (req->ecc.strength + 1) * sizeof(s32);
> +	size += (req->ecc.strength + 1) * sizeof(s32) * 3;
>  
>  	user = kzalloc(size, GFP_KERNEL);
>  	if (!user)
> 


-- 
Nicolas Ferre