[PATCH] mtd: fix out-of-bounds issue in inftl_add_mtd() and nftl_add_mtd()

Weimin Xie quic_weimxie at quicinc.com
Tue Mar 5 21:04:50 PST 2024


when the length of mtd->name is less than 10, it will hit out-of-bounds
issue.

OOB log of nftl_add_mtd():
[    3.918811][    T1] Creating 44 MTD partitions on "1c98000.nand":
[    3.918916][    T1] 0x000000000000-0x000000400000 : "sbl"
[    3.922087][    T1] ==================================================================
[    3.922163][    T1] BUG: KASAN: slab-out-of-bounds in bcmp+0x44/0xe0
[    3.922263][    T1] Read of size 8 at addr ffffff8003590d00 by task swapper/0/1
[    3.922384][    T1] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.15.123-debug-g63e58e33b056-dirty #1
[    3.922484][    T1] Hardware name: XXX
[    3.922557][    T1] Call trace:
[    3.922611][    T1]  dump_backtrace+0x0/0x404
[    3.922699][    T1]  show_stack+0x30/0x44
[    3.922781][    T1]  dump_stack_lvl+0x90/0xb0
[    3.922875][    T1]  print_address_description+0x78/0x38c
[    3.922978][    T1]  kasan_report+0x184/0x1fc
[    3.923071][    T1]  kasan_check_range+0x278/0x2b8
[    3.923167][    T1]  __asan_loadN+0x44/0x54
[    3.923264][    T1]  bcmp+0x44/0xe0
[    3.923342][    T1]  nftl_add_mtd+0xb0/0x384
[    3.923441][    T1]  blktrans_notify_add+0x6c/0xb4
[    3.923538][    T1]  add_mtd_device+0x8f0/0xaec
[    3.923626][    T1]  add_mtd_partitions+0x148/0x330
[    3.923721][    T1]  mtd_device_parse_register+0x66c/0x860
[    3.923813][    T1]  msm_nand_probe+0xf74/0x107c
[    3.923897][    T1]  platform_probe+0x108/0x168

OOB log of inftl_add_mtd():
[    3.918811][    T1] Creating 44 MTD partitions on "1c98000.nand":
[    3.918028][    T1] 0x000000000000-0x000000400000 : "sbl"
[    3.921215][    T1] ==================================================================
[    3.921288][    T1] BUG: KASAN: slab-out-of-bounds in bcmp+0x44/0xe0
[    3.921386][    T1] Read of size 8 at addr ffffff8003593100 by task swapper/0/1
[    3.921509][    T1] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.15.123-debug-g63e58e33b056 #1
[    3.921606][    T1] Hardware name: XXX
[    3.921675][    T1] Call trace:
[    3.921728][    T1]  dump_backtrace+0x0/0x404
[    3.921821][    T1]  show_stack+0x30/0x44
[    3.921904][    T1]  dump_stack_lvl+0x90/0xb0
[    3.921999][    T1]  print_address_description+0x78/0x38c
[    3.922102][    T1]  kasan_report+0x184/0x1fc
[    3.922195][    T1]  kasan_check_range+0x278/0x2b8
[    3.922290][    T1]  __asan_loadN+0x44/0x54
[    3.922388][    T1]  bcmp+0x44/0xe0
[    3.922466][    T1]  inftl_add_mtd+0xb0/0x3a8
[    3.922568][    T1]  blktrans_notify_add+0x6c/0xb4
[    3.922665][    T1]  add_mtd_device+0x8f0/0xaec
[    3.922752][    T1]  add_mtd_partitions+0x148/0x330
[    3.922847][    T1]  mtd_device_parse_register+0x66c/0x860
[    3.922940][    T1]  msm_nand_probe+0xf74/0x107c
[    3.923024][    T1]  platform_probe+0x108/0x168

Signed-off-by: Weimin Xie <quic_weimxie at quicinc.com>
---
 drivers/mtd/inftlcore.c | 2 +-
 drivers/mtd/nftlcore.c  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/mtd/inftlcore.c b/drivers/mtd/inftlcore.c
index 9739387cff8c..37484d914bd0 100644
--- a/drivers/mtd/inftlcore.c
+++ b/drivers/mtd/inftlcore.c
@@ -40,7 +40,7 @@ static void inftl_add_mtd(struct mtd_blktrans_ops *tr, struct mtd_info *mtd)
 	if (!mtd_type_is_nand(mtd) || mtd->size > UINT_MAX)
 		return;
 	/* OK, this is moderately ugly.  But probably safe.  Alternatives? */
-	if (memcmp(mtd->name, "DiskOnChip", 10))
+	if (strncmp(mtd->name, "DiskOnChip", 10))
 		return;
 
 	if (!mtd->_block_isbad) {
diff --git a/drivers/mtd/nftlcore.c b/drivers/mtd/nftlcore.c
index 64d319e959b2..599b84548086 100644
--- a/drivers/mtd/nftlcore.c
+++ b/drivers/mtd/nftlcore.c
@@ -40,7 +40,7 @@ static void nftl_add_mtd(struct mtd_blktrans_ops *tr, struct mtd_info *mtd)
 	if (!mtd_type_is_nand(mtd) || mtd->size > UINT_MAX)
 		return;
 	/* OK, this is moderately ugly.  But probably safe.  Alternatives? */
-	if (memcmp(mtd->name, "DiskOnChip", 10))
+	if (strncmp(mtd->name, "DiskOnChip", 10))
 		return;
 
 	pr_debug("NFTL: add_mtd for %s\n", mtd->name);
-- 
2.25.1




More information about the linux-mtd mailing list