Re: [PATCH v3 4/4] mtdchar: add MEMREAD ioctl

From: Richard Weinberger
Date: Thu Feb 03 2022 - 04:19:03 EST

Next message: Leo Yan: "Re: [PATCH] perf arm-spe: Use SPE data source for neoverse cores"
Previous message: Lucas De Marchi: "Re: [PATCH v3] dma-buf-map: Rename to iosys-map"
Next in thread: Miquel Raynal: "Re: [PATCH v3 4/4] mtdchar: add MEMREAD ioctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Michał,

----- Ursprüngliche Mail -----
> Von: "Michał Kępień" <kernel@xxxxxxxxxx>
> An: "Miquel Raynal" <miquel.raynal@xxxxxxxxxxx>, "richard" <richard@xxxxxx>, "Vignesh Raghavendra" <vigneshr@xxxxxx>
> CC: "Boris Brezillon" <boris.brezillon@xxxxxxxxxxxxx>, "linux-mtd" <linux-mtd@xxxxxxxxxxxxxxxxxxx>, "linux-kernel"
> <linux-kernel@xxxxxxxxxxxxxxx>
> Gesendet: Dienstag, 25. Januar 2022 11:48:22
> Betreff: [PATCH v3 4/4] mtdchar: add MEMREAD ioctl

> + if (req.start + req.len > mtd->size) {

I think this can overflow since both req.start and req.len are u64.
So an evil-doer might bypass this check.

> + ret = -EINVAL;
> + goto out;
> + }
> +
> + datbuf_len = min_t(size_t, req.len, mtd->erasesize);
> + if (datbuf_len > 0) {
> + datbuf = kmalloc(datbuf_len, GFP_KERNEL);

If mtd->erasesize is large (which is not uncommon these days) you might
request more from kmalloc() than it can serve.
Maybe kvmalloc() makes more sense?

> + if (!datbuf) {
> + ret = -ENOMEM;
> + goto out;
> + }
> + }
> +
> + oobbuf_len = min_t(size_t, req.ooblen, mtd->erasesize);
> + if (oobbuf_len > 0) {
> + oobbuf = kmalloc(oobbuf_len, GFP_KERNEL);

Same.

Thanks,
//richard

Next message: Leo Yan: "Re: [PATCH] perf arm-spe: Use SPE data source for neoverse cores"
Previous message: Lucas De Marchi: "Re: [PATCH v3] dma-buf-map: Rename to iosys-map"
Next in thread: Miquel Raynal: "Re: [PATCH v3 4/4] mtdchar: add MEMREAD ioctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]