[PATCH v2 resend] mtdchar: fix integer overflow in read/write ioctls
Miquel Raynal
miquel.raynal at bootlin.com
Tue Sep 30 05:57:19 PDT 2025
Hi Dan,
On 30/09/2025 at 15:32:34 +03, Dan Carpenter <dan.carpenter at linaro.org> wrote:
> The "req.start" and "req.len" variables are u64 values that come from the
> user at the start of the function. We mask away the high 32 bits of
> "req.len" so that's capped at U32_MAX but the "req.start" variable can go
> up to U64_MAX which means that the addition can still integer overflow.
>
> Use check_add_overflow() to fix this bug.
>
> Fixes: 095bb6e44eb1 ("mtdchar: add MEMREAD ioctl")
> Fixes: 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl")
> Cc: stable at vger.kernel.org
> Signed-off-by: Dan Carpenter <dan.carpenter at linaro.org>
> ---
> v2: fix the tags.
> RESEND: I sent this last year but it wasn't applied.
> https://lore.kernel.org/all/Z1ax3K3-zSJExPNV@stanley.mountain/
I don't know why, perhaps it got filtered as SPAM, I don't know, but I'm
sorry about that.
I've just "closed" next, so I'll queue this in a fixes PR on top of
v5.18-rc1.
Thanks,
Miquèl
More information about the linux-mtd
mailing list