[PATCH v2 resend] mtdchar: fix integer overflow in read/write ioctls
Miquel Raynal
miquel.raynal at bootlin.com
Wed Oct 22 02:56:38 PDT 2025
On Tue, 30 Sep 2025 15:32:34 +0300, Dan Carpenter wrote:
> The "req.start" and "req.len" variables are u64 values that come from the
> user at the start of the function. We mask away the high 32 bits of
> "req.len" so that's capped at U32_MAX but the "req.start" variable can go
> up to U64_MAX which means that the addition can still integer overflow.
>
> Use check_add_overflow() to fix this bug.
>
> [...]
Applied to mtd/fixes, thanks!
[1/1] mtdchar: fix integer overflow in read/write ioctls
commit: e4185bed738da755b191aa3f2e16e8b48450e1b8
Patche(s) should be available on mtd/linux.git and will be
part of the next PR (provided that no robot complains by then).
Kind regards,
Miquèl
More information about the linux-mtd
mailing list