[PATCH 11/11] nand: spi: Add arguments check for read/write

Tue Feb 21 00:00:10 PST 2017

Check offset and length in spi_nand_do_read_ops and
spi_nand_do_write_ops.

Signed-off-by: Peter Pan <peterpandong at micron.com>
---
 drivers/mtd/nand/spi/spi-nand-base.c | 44 ++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/drivers/mtd/nand/spi/spi-nand-base.c b/drivers/mtd/nand/spi/spi-nand-base.c
index 5ac4b26..c7616d6 100644
--- a/drivers/mtd/nand/spi/spi-nand-base.c
+++ b/drivers/mtd/nand/spi/spi-nand-base.c
@@ -685,6 +685,7 @@ static int spi_nand_do_read_ops(struct mtd_info *mtd, loff_t from,
 			  struct mtd_oob_ops *ops)
 {
 	struct spi_nand_chip *chip = mtd_to_spi_nand(mtd);
+	struct nand_device *nand = mtd_to_nand(mtd);
 	int ret;
 	struct mtd_ecc_stats stats;
 	unsigned int max_bitflips = 0;
@@ -693,7 +694,24 @@ static int spi_nand_do_read_ops(struct mtd_info *mtd, loff_t from,
 	int ooblen = ops->mode == MTD_OPS_AUTO_OOB ?
 		mtd->oobavail : mtd->oobsize;
 
+	if (unlikely(from >= mtd->size)) {
+		pr_err("%s: attempt to read beyond end of device\n",
+				__func__);
+		return -EINVAL;
+	}
 	if (oobreadlen > 0) {
+		if (unlikely(ops->ooboffs >= ooblen)) {
+			pr_err("%s: attempt to start read outside oob\n",
+					__func__);
+			return -EINVAL;
+		}
+		if (unlikely(ops->ooboffs + oobreadlen >
+		(nand_len_to_pages(nand, mtd->size) - nand_offs_to_page(nand, from))
+		* ooblen)) {
+			pr_err("%s: attempt to read beyond end of device\n",
+					__func__);
+			return -EINVAL;
+		}
 		ooblen -= ops->ooboffs;
 		ops->oobretlen = 0;
 	}
@@ -789,12 +807,38 @@ static int spi_nand_do_write_ops(struct mtd_info *mtd, loff_t to,
 		mtd->oobavail : mtd->oobsize;
 	bool ecc_off = ops->mode == MTD_OPS_RAW;
 
+	/* Do not allow reads past end of device */
+	if (unlikely(to >= mtd->size)) {
+		pr_err("%s: attempt to write beyond end of device\n",
+				__func__);
+		return -EINVAL;
+	}
+
 	page_addr = nand_offs_to_page(nand, to);
 	page_offset = to & (nand_page_size(nand) - 1);
 	ops->retlen = 0;
 
 	/* for oob */
 	if (oobwritelen > 0) {
+		/* Do not allow write past end of page */
+		if ((ops->ooboffs + oobwritelen) > ooblen) {
+			pr_err("%s: attempt to write past end of page\n",
+					__func__);
+			return -EINVAL;
+		}
+
+		if (unlikely(ops->ooboffs >= ooblen)) {
+			pr_err("%s: attempt to start write outside oob\n",
+					__func__);
+			return -EINVAL;
+		}
+		if (unlikely(ops->ooboffs + oobwritelen >
+		(nand_len_to_pages(nand, mtd->size) - nand_offs_to_page(nand, to))
+			* ooblen)) {
+			pr_err("%s: attempt to write beyond end of device\n",
+					__func__);
+			return -EINVAL;
+		}
 		ooblen -= ops->ooboffs;
 		ops->oobretlen = 0;
 	}
-- 
1.9.1


