Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3004410imu;
        Sun, 9 Dec 2018 14:53:16 -0800 (PST)
X-Google-Smtp-Source: AFSGD/Ve/NVjLVcNe5gS/8wipd2qYstsxc36H5Jk9mN8uuALB8F3uChgrcDLx0MyLcIp8oBOG6SJ
X-Received: by 2002:a17:902:7402:: with SMTP id g2mr9721641pll.198.1544395996122;
        Sun, 09 Dec 2018 14:53:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1544395996; cv=none;
        d=google.com; s=arc-20160816;
        b=BVicdSmi4MavDA2LJ4Ed1CfyGZCXMc0NpnnYc0eZabl9Atx5IHV2stgm2ZUkzEVntz
         TvheI8Y7AEep7MsokGRtg/7+gRzvZ4zizW4Ci+p0X3eqlM0+8meb/lcHan9YKdHKyDdt
         Rb7M/rNEs3mC0U6INS0p3JzQTWuWSnLbAhg5ONO4yj4+4JhcoWLWBJC2/3mfFSDbvsfk
         WdRA2MNc97j2g4j+977aiQzEwu7t+iKZ5pMt9IsCN021945dRfNVkKNMCTGyDIdVXf3b
         ktWE7PTUmjCzSK5N8MYrwPo+axZq3At7V9u0ZUlIq5Q8nNk72VzVO2KqEvYs0qU/q3qs
         J9UQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition;
        bh=gbiSjGgZFVFd1S8HJpR+51dVZp/q6hgsDoln5TTLKTg=;
        b=WzXBpXMPIl3xibqEESpAHgtp3Q0w386lxDdi8IsLTUbMOuQ9L90szP/4eey/MicY2v
         CPlthuN4tPOQf1Dhjtc7LLntnjP7l5TgTf7gGH0mzb3LHWQHoNDVTmWoMRiwWbIqjSHv
         dr8cQqO9ibO4AY1ar9Crglz/8UbHXzwA28MfPlZqmYHGBnyYvnf34kYAYYBlsusxrzmx
         EqG+KwyhRW0nOz5pEMMwijuL/lXy0HBbhuG1oZe2j0zb29tolqc3oge/epIbYJH92Fmy
         zRcW1zJSXKkBRkIH1nvEgynBeUyKNEXjEa6I5XwKhzpk4+b32pMa8txsM+CEDQfZhnsF
         84BA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id bh12si8506376plb.353.2018.12.09.14.53.01;
        Sun, 09 Dec 2018 14:53:16 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727668AbeLIWFt (ORCPT <rfc822;atom.tux.beastie@gmail.com>
        + 99 others); Sun, 9 Dec 2018 17:05:49 -0500
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:36992 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726870AbeLIWFr (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 9 Dec 2018 17:05:47 -0500
Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.89)
        (envelope-from <ben@decadent.org.uk>)
        id 1gW73O-0002ib-Mg; Sun, 09 Dec 2018 21:55:58 +0000
Received: from ben by deadeye with local (Exim 4.91)
        (envelope-from <ben@decadent.org.uk>)
        id 1gW72Z-0003Fd-JK; Sun, 09 Dec 2018 21:55:07 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org,
        "Boris Brezillon" <boris.brezillon@bootlin.com>,
        "Jann Horn" <jannh@google.com>
Date:   Sun, 09 Dec 2018 21:50:33 +0000
Message-ID: <lsq.1544392233.444023348@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
X-Patchwork-Hint: ignore
Subject: [PATCH 3.16 044/328] mtdchar: fix overflows in adjustment of `count`
In-Reply-To: <lsq.1544392232.713909046@decadent.org.uk>
X-SA-Exim-Connect-IP: 81.174.156.145
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.62-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jann Horn <jannh@google.com>

commit 6c6bc9ea84d0008024606bf5ba10519e20d851bf upstream.

The first checks in mtdchar_read() and mtdchar_write() attempt to limit
`count` such that `*ppos + count <= mtd->size`. However, they ignore the
possibility of `*ppos > mtd->size`, allowing the calculation of `count` to
wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the
pread/pwrite syscalls bypass this.

I haven't found any codepath on which this actually causes dangerous
behavior, but it seems like a sensible change anyway.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/mtdchar.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -190,8 +190,12 @@ static ssize_t mtdchar_read(struct file
 
 	pr_debug("MTD_read\n");
 
-	if (*ppos + count > mtd->size)
-		count = mtd->size - *ppos;
+	if (*ppos + count > mtd->size) {
+		if (*ppos < mtd->size)
+			count = mtd->size - *ppos;
+		else
+			count = 0;
+	}
 
 	if (!count)
 		return 0;
@@ -276,7 +280,7 @@ static ssize_t mtdchar_write(struct file
 
 	pr_debug("MTD_write\n");
 
-	if (*ppos == mtd->size)
+	if (*ppos >= mtd->size)
 		return -ENOSPC;
 
 	if (*ppos + count > mtd->size)