Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 23bd97eaebc55d5eef9d3cd41e3bd6189a0e9dd6
commit23bd97eaebc55d5eef9d3cd41e3bd6189a0e9dd6[log] [tgz]
authorJann Horn <jannh@google.com>Sat Jul 07 05:37:22 2018 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Wed Sep 26 08:36:37 2018 +0200
treeaf5e5f79e3889d6e494b3e72bc0aa7740560812a
parent4fe4e6d65f97cc428748fa1f75b747d51d676bf9 [diff]
mtdchar: fix overflows in adjustment of `count`

[ Upstream commit 6c6bc9ea84d0008024606bf5ba10519e20d851bf ]

The first checks in mtdchar_read() and mtdchar_write() attempt to limit
`count` such that `*ppos + count <= mtd->size`. However, they ignore the
possibility of `*ppos > mtd->size`, allowing the calculation of `count` to
wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the
pread/pwrite syscalls bypass this.

I haven't found any codepath on which this actually causes dangerous
behavior, but it seems like a sensible change anyway.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 file changed
tree: af5e5f79e3889d6e494b3e72bc0aa7740560812a
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README
  35. REPORTING-BUGS