Re: [PATCH v3 4/4] mtdchar: add MEMREAD ioctl
From: Miquel Raynal
Date: Thu Feb 03 2022 - 04:47:03 EST
Hi Richard,
richard@xxxxxx wrote on Thu, 3 Feb 2022 10:18:56 +0100 (CET):
> Michał,
>
> ----- Ursprüngliche Mail -----
> > Von: "Michał Kępień" <kernel@xxxxxxxxxx>
> > An: "Miquel Raynal" <miquel.raynal@xxxxxxxxxxx>, "richard" <richard@xxxxxx>, "Vignesh Raghavendra" <vigneshr@xxxxxx>
> > CC: "Boris Brezillon" <boris.brezillon@xxxxxxxxxxxxx>, "linux-mtd" <linux-mtd@xxxxxxxxxxxxxxxxxxx>, "linux-kernel"
> > <linux-kernel@xxxxxxxxxxxxxxx>
> > Gesendet: Dienstag, 25. Januar 2022 11:48:22
> > Betreff: [PATCH v3 4/4] mtdchar: add MEMREAD ioctl
>
> > + if (req.start + req.len > mtd->size) {
>
> I think this can overflow since both req.start and req.len are u64.
> So an evil-doer might bypass this check.
>
> > + ret = -EINVAL;
> > + goto out;
> > + }
> > +
> > + datbuf_len = min_t(size_t, req.len, mtd->erasesize);
> > + if (datbuf_len > 0) {
> > + datbuf = kmalloc(datbuf_len, GFP_KERNEL);
>
> If mtd->erasesize is large (which is not uncommon these days) you might
> request more from kmalloc() than it can serve.
> Maybe kvmalloc() makes more sense?
Mmmh, I would really like these buffers dma-able.
I just discovered mtd_kmalloc_up_to(). Would this work?
>
> > + if (!datbuf) {
> > + ret = -ENOMEM;
> > + goto out;
> > + }
> > + }
> > +
> > + oobbuf_len = min_t(size_t, req.ooblen, mtd->erasesize);
> > + if (oobbuf_len > 0) {
> > + oobbuf = kmalloc(oobbuf_len, GFP_KERNEL);
>
> Same.
>
> Thanks,
> //richard
Thanks,
Miquèl