linux/drivers/mtd
Jann Horn 6c6bc9ea84 mtdchar: fix overflows in adjustment of count
The first checks in mtdchar_read() and mtdchar_write() attempt to limit
`count` such that `*ppos + count <= mtd->size`. However, they ignore the
possibility of `*ppos > mtd->size`, allowing the calculation of `count` to
wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the
pread/pwrite syscalls bypass this.

I haven't found any codepath on which this actually causes dangerous
behavior, but it seems like a sensible change anyway.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
2018-07-18 16:46:38 +02:00
..
chips mtd: cfi: cmdset_0002: remove redundant variable timeo 2018-07-07 10:53:51 +02:00
devices mtd: sst25l: use mtd_device_register() 2018-07-18 16:32:38 +02:00
lpddr treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
maps mtd: maps: use mtd_device_register() where applicable 2018-07-18 16:32:36 +02:00
nand - Error path bug fix for overflow tests (Dan) 2018-06-12 18:28:00 -07:00
parsers mtd: parsers: trx: add of_match_table with the new DT binding 2018-07-07 10:51:00 +02:00
spi-nor MTD changes: 2018-06-08 10:39:20 -07:00
tests treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
ubi treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
afs.c mtd: partitions: make parsers return 'const' partition arrays 2015-12-09 10:21:57 -08:00
ar7part.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
bcm47xxpart.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
bcm63xxpart.c mtd: bcm63xxpart: give width specifier an 'int', not 'size_t' 2016-03-07 13:13:58 -08:00
cmdlinepart.c mtd: cmdlinepart: Update comment for introduction of OFFSET_CONTINUOUS 2018-05-23 10:08:48 +02:00
ftl.c treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
inftlcore.c mtd: nand: Rename nand.h into rawnand.h 2017-08-13 10:11:49 +02:00
inftlmount.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
Kconfig mtd: Move onenand code base to drivers/mtd/nand/onenand 2018-03-15 15:40:37 +01:00
Makefile mtd: Move onenand code base to drivers/mtd/nand/onenand 2018-03-15 15:40:37 +01:00
mtd_blkdevs.c mtd_blkdevs: handle highmem pages 2018-05-11 15:07:58 -06:00
mtdblock_ro.c
mtdblock.c mtd: Unconditionally update ->fail_addr and ->addr in part_erase() 2018-03-15 18:22:26 +01:00
mtdchar.c mtdchar: fix overflows in adjustment of count 2018-07-18 16:46:38 +02:00
mtdconcat.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
mtdcore.c mtd: Fallback to ->_read/write() when ->_read/write_oob() is missing 2018-07-18 16:44:03 +02:00
mtdcore.h mtd: move code adding (registering) partitions to the parse_mtd_partitions() 2018-05-07 10:10:47 +02:00
mtdoops.c treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
mtdpart.c mtd: move code adding (registering) partitions to the parse_mtd_partitions() 2018-05-07 10:10:47 +02:00
mtdsuper.c Rename superblock flags (MS_xyz -> SB_xyz) 2017-11-27 13:05:09 -08:00
mtdswap.c treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
nftlcore.c mtd: nand: Rename nand.h into rawnand.h 2017-08-13 10:11:49 +02:00
nftlmount.c mtd: nftl: remove redundant variable nb_erases 2018-07-07 10:55:05 +02:00
ofpart.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
redboot.c mtd: partitions: make parsers return 'const' partition arrays 2015-12-09 10:21:57 -08:00
rfd_ftl.c treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
sm_ftl.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
sm_ftl.h mtd: Stop assuming mtd_erase() is asynchronous 2018-03-15 18:21:07 +01:00
ssfdc.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00