[PATCH v2 RESEND] mtd: afs: validate v2 image info bounds
Linus Walleij
linusw at kernel.org
Thu Jul 9 14:48:11 PDT 2026
Hi Pengpeng,
thanks for your patch!
On Wed, Jul 8, 2026 at 3:49 AM Pengpeng Hou <pengpeng at iscas.ac.cn> wrote:
> The AFS v2 parser uses footer[8] to locate the image information block
> inside the current erase block, then uses the image information
> region_count to walk entries from a fixed local array. The footer offset
> and region count come from flash contents and are not checked against the
> erase block or the local image-info array before use.
>
> Reject v2 entries whose image information offset would underflow the
> erase block calculation, and reject region counts that cannot fit in the
> local image-info array before walking region entries.
>
> Fixes: b7cf5e2830bb ("mtd: afs: add v2 partition parsing")
> Cc: stable at vger.kernel.org
I don't know if this is stable material. No-one is running into any
regressions, I think this was discovered by code analysis and
is mostly theoretical problems.
> Signed-off-by: Pengpeng Hou <pengpeng at iscas.ac.cn>
> + if (mtd->erasesize < sizeof(footer))
> + return -EINVAL;
You are aware that no system has an erase block size less than
64KB in practice, and sizeof(footer) is 48 bytes?
This is why I say this kind of "bugs" are pretty
theoretical.
> name = (char *) &footer[0];
> version = footer[9];
> + if (footer[8] > mtd->erasesize - sizeof(footer))
> + return -EINVAL;
The same theoretical thing here. footer[8] is 0..255 but
erasesize is at least 65535 and sizeof(footer) is 48 bytes.
In essence this code translates to:
is something between 0 and 255 more than 65535 (or more) - 48?
The compiler will of course just optimize this out, but I'm just
pointing it out.
I understand this kind of fixes are aesthetically pleasing
but they are not bugs. More like ornaments for coders.
> @@ -278,6 +283,8 @@ static int afs_parse_v2_partition(struct mtd_info *mtd,
> entrypoint = imginfo[pad];
> attributes = imginfo[pad+1];
> region_count = imginfo[pad+2];
> + if (region_count > (ARRAY_SIZE(imginfo) - pad - 3) / 4)
> + return -EINVAL;
This is valid sanitization of region_count however!
Acked-by: Linus Walleij <linusw at kernel.org>
Yours,
Linus Walleij
More information about the linux-mtd
mailing list