Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752412AbdI0PbL (ORCPT ); Wed, 27 Sep 2017 11:31:11 -0400 Received: from esa3.microchip.iphmx.com ([68.232.153.233]:14232 "EHLO esa3.microchip.iphmx.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751943AbdI0PbK (ORCPT ); Wed, 27 Sep 2017 11:31:10 -0400 X-IronPort-AV: E=Sophos;i="5.42,445,1500966000"; d="scan'208";a="7401040" Subject: Re: [PATCH] mtd: nand: atmel: fix buffer overflow in atmel_pmecc_user To: Richard Genoud , Boris Brezillon CC: linux-mtd , Linux Kernel References: <1506516557.19393.5.camel@gmail.com> From: Nicolas Ferre Organization: microchip Message-ID: <3ab0ab38-bdd1-0f9c-2fe9-0f006b90e498@microchip.com> Date: Wed, 27 Sep 2017 17:32:22 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <1506516557.19393.5.camel@gmail.com> Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1469 Lines: 42 On 27/09/2017 at 14:49, Richard Genoud wrote: > When calculating the size needed by struct atmel_pmecc_user *user, > the dmu and delta buffer sizes were forgotten. > This lead to a memory corruption (especially with a large ecc_strength). > > Link: http://lkml.kernel.org/r/1506503157.3016.5.camel@gmail.com > Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") > Cc: Nicolas Ferre Yes: Reviewed-by: Nicolas Ferre Thanks Richard and Boris for this quick fix! Regards, Nicolas > Cc: stable@vger.kernel.org > Reported-by: Richard Genoud > Pointed-at-by: Boris Brezillon > Signed-off-by: Richard Genoud > --- > drivers/mtd/nand/atmel/pmecc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/mtd/nand/atmel/pmecc.c b/drivers/mtd/nand/atmel/pmecc.c > index 146af8218314..8268636675ef 100644 > --- a/drivers/mtd/nand/atmel/pmecc.c > +++ b/drivers/mtd/nand/atmel/pmecc.c > @@ -363,7 +363,7 @@ atmel_pmecc_create_user(struct atmel_pmecc *pmecc, > size += (req->ecc.strength + 1) * sizeof(u16); > /* Reserve space for mu, dmu and delta. */ > size = ALIGN(size, sizeof(s32)); > - size += (req->ecc.strength + 1) * sizeof(s32); > + size += (req->ecc.strength + 1) * sizeof(s32) * 3; > > user = kzalloc(size, GFP_KERNEL); > if (!user) > -- Nicolas Ferre