[PATCH] mtdchar: fix integer overflow in read/write ioctls
Zhihao Cheng
chengzhihao1 at huawei.com
Sun Dec 8 22:27:58 PST 2024
在 2024/12/8 1:05, Dan Carpenter 写道:
> On Sat, Dec 07, 2024 at 12:17:33PM +0800, Zhihao Cheng wrote:
>> 在 2024/12/7 4:26, Dan Carpenter 写道:
>>> The "req.start" and "req.len" variables are u64 values that come from the
>>> user at the start of the function. We mask away the high 32 bits of
>>> "req.len" so that's capped at U32_MAX but the "req.start" variable can go
>>> up to U64_MAX.
>>>
>>> Use check_add_overflow() to fix this bug.
>>>
>>> Fixes: 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl")
>>
>> Hi, Dan. Why this fix tag? I think the adding result('req.start' and
>> 'req.len') could be overflow too before this commit.
>>
>
> I've looked at this again, and I still don't see the bug before the
> commit. Secondly, commit a1eda864c04c ("mtdchar: prevent integer
> overflow in a safety check") is missing a Fixes tag but the message says
> that it's this commit which introduced the bug.
Ah, I see. There is not an addition operation for 'req.start' and
'req.len' until commit 6420ac0af95d("mtdchar: prevent unbounded
allocation in MEMWRITE ioctl") and 095bb6e44eb1("mtdchar: add MEMREAD
ioctl"), so I guess the there should be two fix tags?
>
> Which commit should get the fixes tag?
>
> I should have added a CC to the stable tree though. I did that correctly
> in an earlier draft of this patch but I messed up in this version. :/
>
> regards,
> dan carpenter
>
> .
>
More information about the linux-mtd
mailing list