[PATCH v3 4/4] mtdchar: add MEMREAD ioctl
Richard Weinberger
richard at nod.at
Thu Feb 3 01:18:56 PST 2022
Michał,
----- Ursprüngliche Mail -----
> Von: "Michał Kępień" <kernel at kempniu.pl>
> An: "Miquel Raynal" <miquel.raynal at bootlin.com>, "richard" <richard at nod.at>, "Vignesh Raghavendra" <vigneshr at ti.com>
> CC: "Boris Brezillon" <boris.brezillon at collabora.com>, "linux-mtd" <linux-mtd at lists.infradead.org>, "linux-kernel"
> <linux-kernel at vger.kernel.org>
> Gesendet: Dienstag, 25. Januar 2022 11:48:22
> Betreff: [PATCH v3 4/4] mtdchar: add MEMREAD ioctl
> + if (req.start + req.len > mtd->size) {
I think this can overflow since both req.start and req.len are u64.
So an evil-doer might bypass this check.
> + ret = -EINVAL;
> + goto out;
> + }
> +
> + datbuf_len = min_t(size_t, req.len, mtd->erasesize);
> + if (datbuf_len > 0) {
> + datbuf = kmalloc(datbuf_len, GFP_KERNEL);
If mtd->erasesize is large (which is not uncommon these days) you might
request more from kmalloc() than it can serve.
Maybe kvmalloc() makes more sense?
> + if (!datbuf) {
> + ret = -ENOMEM;
> + goto out;
> + }
> + }
> +
> + oobbuf_len = min_t(size_t, req.ooblen, mtd->erasesize);
> + if (oobbuf_len > 0) {
> + oobbuf = kmalloc(oobbuf_len, GFP_KERNEL);
Same.
Thanks,
//richard
More information about the linux-mtd
mailing list