Uninitialized memcpy length bug in cfi_staa_writev (drivers/mtd/chips/cfi_cmdset_0020.c)

David Ramos daramos at stanford.edu
Wed Feb 11 11:43:44 PST 2015


Our UC-KLEE tool found an uninitialized memcpy length bug in cfi_staa_writev (drivers/mtd/chips/cfi_cmdset_0020.c). The bug appears in kernel 3.16.3, but it dates back to before the git migration in 2005.

The bug occurs when the initialization of the ‘thislen’ local variable is bypassed (i.e., neither of the if-conditions on lines 686 and 702 are satisfied). This uninitialized variable is then passed to memcpy on line 713, possibly causing memory corruption or a kernel segfault.

It appears that the bug can be triggered if the first element passed to writev() is fewer than mtd->writesize bytes, in which case both if-statements are skipped.

Please let me know if you have any questions.


More information about the linux-mtd mailing list