Received: by 2002:a5d:925a:0:0:0:0:0 with SMTP id e26csp451428iol; Thu, 9 Jun 2022 07:07:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyh+D5vE6FuQ6W07YRnia/xCrB/iKfw+QkCUVt0A7OzGW4rpjh/sIv/tQPCL6Z3EFcQJNG6 X-Received: by 2002:a17:907:72d2:b0:703:9177:7d1f with SMTP id du18-20020a17090772d200b0070391777d1fmr35495340ejc.144.1654783666031; Thu, 09 Jun 2022 07:07:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654783666; cv=none; d=google.com; s=arc-20160816; b=iEhjL12GAndYmLuAFfItJ+DBseRAcdKYnUZMJ7YjxCqr1FJF48yYVt+CeVdKVY9XJc +cLNwUdy37/4e78K1T6KyW0k5DkjbebckznSKTQJjCpcL6+gz6008ja+Lv+FI4MbnAox PfVhMkeDssr2BahbwsDAVRgvv+y4NOYvdtisFGagbWJSMIpQyn0bn93BCcUiaLgkPWWd FfOuXVfYryHvbspQVDsR1Uut7admv+8HXympDDzDV+SXkxO5urvvNFahcHolx3fTnS77 XNe+1y4CvJqQYP7SzIys7+mVeg8rWDklWcTane6SFAIHkNciYTYIn7JNbrNMdq2ZkBtn bkLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=SXXb6P9Cvl1Zw0pt22LdE638pd3NE17nBJYMk4WRUpQ=; b=CSaGWL10C2mf06vy77tNDQtWLnWd9dHidBlJ2oDBPn61PAWdtQqbIrZEv/DSDFBlQq 8COspTPrcQeeTJaJ3szLCLdJHDyvfDoI//wlII0As4jBzhKYfOGidCMLDXrEcghN/Ciz ZcBt0/5kqUPK7fqW02UJPDZD95afspyiYp63OyVcRlw5JlBsedLS018kFPQdzKQr2xKa rxhcNH//sWPT7+PIYO3282ZgxKELz5GD32MLkaMPdp9OiH7D5NwluEjx/TJG2mfZtMix zLojs6NRbL5UneKnwdQx3H0nUmGPK7tMb6pLS8SiVxLVPO1s6hKPlCzRgAcQsodbdh7+ fbjw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@bootlin.com header.s=gm1 header.b=hq7VmEw3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=bootlin.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ho43-20020a1709070eab00b0070897236380si19284900ejc.19.2022.06.09.07.07.08; Thu, 09 Jun 2022 07:07:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@bootlin.com header.s=gm1 header.b=hq7VmEw3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=bootlin.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239332AbiFINKf (ORCPT + 99 others); Thu, 9 Jun 2022 09:10:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42418 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239036AbiFINK0 (ORCPT ); Thu, 9 Jun 2022 09:10:26 -0400 Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [IPv6:2001:4b98:dc4:8::222]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5C99BED8E7 for ; Thu, 9 Jun 2022 06:10:25 -0700 (PDT) Received: (Authenticated sender: miquel.raynal@bootlin.com) by mail.gandi.net (Postfix) with ESMTPSA id 61FBF40002; Thu, 9 Jun 2022 13:10:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1654780224; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SXXb6P9Cvl1Zw0pt22LdE638pd3NE17nBJYMk4WRUpQ=; b=hq7VmEw3j/yIDUeup7m471TiSKlOzA2mlV5ZB2IjEsMBVyRSRy5nezwp7rwoma8nmsp0jC WYfDmg70dhurrG05jWfEuBhIIQwbMev9XxYiSRtWdGI7jzFdTb0JG1gecrPgqE895Y2t+h rU4ru4yMyjam2qD44gyxEER3yVd6M74hKMoYA/DVbzw8zt6jFrsV7YsSobXHMLi/vPkgtA 2dxcgzf/MEmUzzyp/kyzPgfFcQBQU35vKWh5dIUtDBk0By4ZTZIfI3ViIEYuLM3oLfp4ir H2Hkan5nLKW5zmpO29afrG1HGwPuvLWlqFmhZnp6ndMdsG0IUz8WaJjMalpZ8g== From: Miquel Raynal To: =?utf-8?b?TWljaGHFgiBLxJlwaWXFhA==?= , Miquel Raynal , Richard Weinberger , Vignesh Raghavendra Cc: linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/2] mtdchar: prevent integer overflow in a safety check Date: Thu, 9 Jun 2022 15:10:22 +0200 Message-Id: <20220609131022.293516-1-miquel.raynal@bootlin.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220516070601.11428-2-kernel@kempniu.pl> References: MIME-Version: 1.0 X-linux-mtd-patch-notification: thanks X-linux-mtd-patch-commit: b'a1eda864c04cf24ea1130334963c6199318f6f95' Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2022-05-16 at 07:06:00 UTC, =?utf-8?b?TWljaGHFgiBLxJlwaWXFhA==?= wrote: > Commit 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE > ioctl") added a safety check to mtdchar_write_ioctl() which attempts to > ensure that the write request sent by user space does not extend beyond > the MTD device's size. However, that check contains an addition of two > struct mtd_write_req fields, 'start' and 'len', both of which are u64 > variables. The result of that addition can overflow, allowing the > safety check to be bypassed. > > The arguably simplest fix - changing the data types of the relevant > struct mtd_write_req fields - is not feasible as it would break user > space. > > Fix by making mtdchar_write_ioctl() truncate the value provided by user > space in the 'len' field of struct mtd_write_req, so that only the lower > 32 bits of that field are used, preventing the overflow. > > While the 'ooblen' field of struct mtd_write_req is not currently used > in any similarly flawed safety check, also truncate it to 32 bits, for > consistency with the 'len' field and with other MTD routines handling > OOB data. > > Update include/uapi/mtd/mtd-abi.h accordingly. > > Suggested-by: Richard Weinberger > Signed-off-by: Michał Kępień Applied to https://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux.git mtd/next, thanks. Miquel