mtd: spi-nor: Check consistency of the memory size extracted from the SFDP

Linux-MTD Mailing List linux-mtd at lists.infradead.org
Tue Sep 19 13:59:01 PDT 2017 

Gitweb:     http://git.infradead.org/?p=mtd-2.6.git;a=commit;h=b8f3911610529ba531b99d1e109c7a40fb071f0a
Commit:     b8f3911610529ba531b99d1e109c7a40fb071f0a
Parent:     2bd6bf03f4c1c59381d62c61d03f6cc3fe71f66e
Author:     Boris Brezillon <boris.brezillon at free-electrons.com>
AuthorDate: Tue Sep 12 15:10:35 2017 +0200
Committer:  Boris Brezillon <boris.brezillon at free-electrons.com>
CommitDate: Mon Sep 18 09:53:27 2017 +0200

    mtd: spi-nor: Check consistency of the memory size extracted from the SFDP
    
    One field of the flash parameter table contains information about the
    flash device size.
    Most of the time the data extracted from this field is valid, but
    sometimes the BFPT section of the SFDP table is corrupted or invalid and
    this field is set to 0xffffffff, thus resulting in an integer overflow
    when setting params->size.
    
    Since NOR devices are anayway always smaller than 2^64 bytes, we can
    easily stop the BFPT parsing if the size reported in this table is
    invalid.
    
    Fixes: f384b352cbf0 ("mtd: spi-nor: parse Serial Flash Discoverable Parameters (SFDP) tables")
    Reported-by: Geert Uytterhoeven <geert at linux-m68k.org>
    Signed-off-by: Boris Brezillon <boris.brezillon at free-electrons.com>
    Tested-by: Geert Uytterhoeven <geert+renesas at glider.be>
    Acked-by: Cyrille Pitchen <cyrille.pitchen at wedev4u.com>
---
 drivers/mtd/spi-nor/spi-nor.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/mtd/spi-nor/spi-nor.c b/drivers/mtd/spi-nor/spi-nor.c
index cf1d4a1..4425b02 100644
--- a/drivers/mtd/spi-nor/spi-nor.c
+++ b/drivers/mtd/spi-nor/spi-nor.c
@@ -2127,6 +2127,15 @@ static int spi_nor_parse_bfpt(struct spi_nor *nor,
 	params->size = bfpt.dwords[BFPT_DWORD(2)];
 	if (params->size & BIT(31)) {
 		params->size &= ~BIT(31);
+
+		/*
+		 * Prevent overflows on params->size. Anyway, a NOR of 2^64
+		 * bits is unlikely to exist so this error probably means
+		 * the BFPT we are reading is corrupted/wrong.
+		 */
+		if (params->size > 63)
+			return -EINVAL;
+
 		params->size = 1ULL << params->size;
 	} else {
 		params->size++;

More information about the linux-mtd-cvs mailing list