From patchwork Wed Sep 12 12:26:26 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Genoud X-Patchwork-Id: 183353 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from merlin.infradead.org (unknown [IPv6:2001:4978:20e::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 7F1E72C0081 for ; Wed, 12 Sep 2012 22:32:02 +1000 (EST) Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.76 #1 (Red Hat Linux)) id 1TBm1k-0007MG-74; Wed, 12 Sep 2012 12:26:44 +0000 Received: from mail-wi0-f171.google.com ([209.85.212.171]) by merlin.infradead.org with esmtps (Exim 4.76 #1 (Red Hat Linux)) id 1TBm1i-0007Ln-1K for linux-mtd@lists.infradead.org; Wed, 12 Sep 2012 12:26:42 +0000 Received: by wibhq4 with SMTP id hq4so3685923wib.0 for ; Wed, 12 Sep 2012 05:26:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:x-mailer; bh=TbGMM+Ha4TDTy0ZKphBRMj/J5VkS5kX1d9BG5cFBU5Q=; b=iDKgplNO9Cupy3KbnC8riasQHKmazhertdFT5u09L+dstilKRunXowE90TbTMTWBLM zS5n+QX5twCR/8dq62j2h/9buQ1VB4pE7rtZYZ4I/sXcRMevzPA1a/SU0aw6oitMDEMP GLu8PDsu29bVOyx/WPSihGYmk07DwrQsRAJk1u56Jef3VUG8zhh0lxDXIVgYifRkdf38 XUXPluekWgcsyCvICI9775z3nx9+QpWA+zFrRpl/0qIFgmFC1cg2ht7untidk6WBYplk 1lbMriCr/q3kxDoZrlaw//BugIlec85yoOrCcak+yW1/8lgtAl/AydqQ8POl/1UfDKn3 Wktw== Received: by 10.180.104.197 with SMTP id gg5mr32477134wib.9.1347452799206; Wed, 12 Sep 2012 05:26:39 -0700 (PDT) Received: from localhost.localdomain (lyon.paratronic.fr. [213.41.177.106]) by mx.google.com with ESMTPS id dp8sm11901124wib.3.2012.09.12.05.26.36 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 12 Sep 2012 05:26:38 -0700 (PDT) From: Richard Genoud To: David Woodhouse , Artem Bityutskiy Subject: [PATCH] MTD: nandsim: BUG: Fail if overridesize is too big Date: Wed, 12 Sep 2012 14:26:26 +0200 Message-Id: <1347452786-10208-1-git-send-email-richard.genoud@gmail.com> X-Mailer: git-send-email 1.7.2.5 X-Spam-Note: CRM114 invocation failed X-Spam-Score: -2.7 (--) X-Spam-Report: SpamAssassin version 3.3.2 on merlin.infradead.org summary: Content analysis details: (-2.7 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [209.85.212.171 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (richard.genoud[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Cc: Richard Genoud , linux-mtd@lists.infradead.org, Adrian Hunter X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: linux-mtd-bounces@lists.infradead.org Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org If override size is too big, the module was actually loaded instead of failing, because retval was not set. This lead to memory corruption with the use of the freed structs nandsim and nand_chip. Signed-off-by: Richard Genoud --- drivers/mtd/nand/nandsim.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/drivers/mtd/nand/nandsim.c b/drivers/mtd/nand/nandsim.c index cf0cd31..5d881180 100644 --- a/drivers/mtd/nand/nandsim.c +++ b/drivers/mtd/nand/nandsim.c @@ -2333,6 +2333,7 @@ static int __init ns_init_module(void) uint64_t new_size = (uint64_t)nsmtd->erasesize << overridesize; if (new_size >> overridesize != nsmtd->erasesize) { NS_ERR("overridesize is too big\n"); + retval = -EINVAL; goto err_exit; } /* N.B. This relies on nand_scan not doing anything with the size before we change it */