[PATCH] mtd: fix out-of-bounds issue in inftl_add_mtd() and nftl_add_mtd()
Weimin Xie
quic_weimxie at quicinc.com
Tue Mar 5 21:04:50 PST 2024
when the length of mtd->name is less than 10, it will hit out-of-bounds
issue.
OOB log of nftl_add_mtd():
[ 3.918811][ T1] Creating 44 MTD partitions on "1c98000.nand":
[ 3.918916][ T1] 0x000000000000-0x000000400000 : "sbl"
[ 3.922087][ T1] ==================================================================
[ 3.922163][ T1] BUG: KASAN: slab-out-of-bounds in bcmp+0x44/0xe0
[ 3.922263][ T1] Read of size 8 at addr ffffff8003590d00 by task swapper/0/1
[ 3.922384][ T1] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.15.123-debug-g63e58e33b056-dirty #1
[ 3.922484][ T1] Hardware name: XXX
[ 3.922557][ T1] Call trace:
[ 3.922611][ T1] dump_backtrace+0x0/0x404
[ 3.922699][ T1] show_stack+0x30/0x44
[ 3.922781][ T1] dump_stack_lvl+0x90/0xb0
[ 3.922875][ T1] print_address_description+0x78/0x38c
[ 3.922978][ T1] kasan_report+0x184/0x1fc
[ 3.923071][ T1] kasan_check_range+0x278/0x2b8
[ 3.923167][ T1] __asan_loadN+0x44/0x54
[ 3.923264][ T1] bcmp+0x44/0xe0
[ 3.923342][ T1] nftl_add_mtd+0xb0/0x384
[ 3.923441][ T1] blktrans_notify_add+0x6c/0xb4
[ 3.923538][ T1] add_mtd_device+0x8f0/0xaec
[ 3.923626][ T1] add_mtd_partitions+0x148/0x330
[ 3.923721][ T1] mtd_device_parse_register+0x66c/0x860
[ 3.923813][ T1] msm_nand_probe+0xf74/0x107c
[ 3.923897][ T1] platform_probe+0x108/0x168
OOB log of inftl_add_mtd():
[ 3.918811][ T1] Creating 44 MTD partitions on "1c98000.nand":
[ 3.918028][ T1] 0x000000000000-0x000000400000 : "sbl"
[ 3.921215][ T1] ==================================================================
[ 3.921288][ T1] BUG: KASAN: slab-out-of-bounds in bcmp+0x44/0xe0
[ 3.921386][ T1] Read of size 8 at addr ffffff8003593100 by task swapper/0/1
[ 3.921509][ T1] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.15.123-debug-g63e58e33b056 #1
[ 3.921606][ T1] Hardware name: XXX
[ 3.921675][ T1] Call trace:
[ 3.921728][ T1] dump_backtrace+0x0/0x404
[ 3.921821][ T1] show_stack+0x30/0x44
[ 3.921904][ T1] dump_stack_lvl+0x90/0xb0
[ 3.921999][ T1] print_address_description+0x78/0x38c
[ 3.922102][ T1] kasan_report+0x184/0x1fc
[ 3.922195][ T1] kasan_check_range+0x278/0x2b8
[ 3.922290][ T1] __asan_loadN+0x44/0x54
[ 3.922388][ T1] bcmp+0x44/0xe0
[ 3.922466][ T1] inftl_add_mtd+0xb0/0x3a8
[ 3.922568][ T1] blktrans_notify_add+0x6c/0xb4
[ 3.922665][ T1] add_mtd_device+0x8f0/0xaec
[ 3.922752][ T1] add_mtd_partitions+0x148/0x330
[ 3.922847][ T1] mtd_device_parse_register+0x66c/0x860
[ 3.922940][ T1] msm_nand_probe+0xf74/0x107c
[ 3.923024][ T1] platform_probe+0x108/0x168
Signed-off-by: Weimin Xie <quic_weimxie at quicinc.com>
---
drivers/mtd/inftlcore.c | 2 +-
drivers/mtd/nftlcore.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/mtd/inftlcore.c b/drivers/mtd/inftlcore.c
index 9739387cff8c..37484d914bd0 100644
--- a/drivers/mtd/inftlcore.c
+++ b/drivers/mtd/inftlcore.c
@@ -40,7 +40,7 @@ static void inftl_add_mtd(struct mtd_blktrans_ops *tr, struct mtd_info *mtd)
if (!mtd_type_is_nand(mtd) || mtd->size > UINT_MAX)
return;
/* OK, this is moderately ugly. But probably safe. Alternatives? */
- if (memcmp(mtd->name, "DiskOnChip", 10))
+ if (strncmp(mtd->name, "DiskOnChip", 10))
return;
if (!mtd->_block_isbad) {
diff --git a/drivers/mtd/nftlcore.c b/drivers/mtd/nftlcore.c
index 64d319e959b2..599b84548086 100644
--- a/drivers/mtd/nftlcore.c
+++ b/drivers/mtd/nftlcore.c
@@ -40,7 +40,7 @@ static void nftl_add_mtd(struct mtd_blktrans_ops *tr, struct mtd_info *mtd)
if (!mtd_type_is_nand(mtd) || mtd->size > UINT_MAX)
return;
/* OK, this is moderately ugly. But probably safe. Alternatives? */
- if (memcmp(mtd->name, "DiskOnChip", 10))
+ if (strncmp(mtd->name, "DiskOnChip", 10))
return;
pr_debug("NFTL: add_mtd for %s\n", mtd->name);
--
2.25.1
More information about the linux-mtd
mailing list