[PATCH 2/3] commands: md: fix OOB read when mmapping
Sascha Hauer
s.hauer at pengutronix.de
Tue Jan 13 05:05:19 PST 2026
On Mon, Jan 12, 2026 at 09:56:05AM +0100, Ahmad Fatoum wrote:
> md -s /dev/mmappable.device will read out-of-bounds if the byte count to
> read exceeds the device size.
>
> Limit the size read from the memmap to fix this.
>
> Signed-off-by: Ahmad Fatoum <a.fatoum at barebox.org>
> ---
> commands/md.c | 4 ++++
> common/ratp/md.c | 4 ++++
> 2 files changed, 8 insertions(+)
>
> diff --git a/commands/md.c b/commands/md.c
> index f3758f571fb2..401538d4d8be 100644
> --- a/commands/md.c
> +++ b/commands/md.c
> @@ -25,6 +25,7 @@ static int do_mem_md(int argc, char *argv[])
> loff_t start = 0, size = 0x100;
> int r, now;
> int ret = 0;
> + struct stat st;
> int fd;
> char *filename = "/dev/mem";
> int mode = O_RWSIZE_4;
> @@ -54,6 +55,9 @@ static int do_mem_md(int argc, char *argv[])
> return 1;
> }
>
> + if (!fstat(fd, &st) && st.st_size != FILE_SIZE_STREAM)
> + size = min(size, st.st_size);
This should take start into account.
Sascha
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
More information about the barebox
mailing list