From patchwork Mon Jun 22 17:21:38 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: roel kluin X-Patchwork-Id: 29003 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [18.85.46.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bilbo.ozlabs.org (Postfix) with ESMTPS id 3C799B7159 for ; Tue, 23 Jun 2009 01:22:50 +1000 (EST) Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.69 #1 (Red Hat Linux)) id 1MIlKf-0007GU-Ob; Mon, 22 Jun 2009 15:21:17 +0000 Received: from mail-ew0-f211.google.com ([209.85.219.211]) by bombadil.infradead.org with esmtp (Exim 4.69 #1 (Red Hat Linux)) id 1MIlKW-0007FN-NE for linux-mtd@lists.infradead.org; Mon, 22 Jun 2009 15:21:15 +0000 Received: by ewy7 with SMTP id 7so8487262ewy.18 for ; Mon, 22 Jun 2009 08:21:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:content-type :content-transfer-encoding; bh=Ul+kAtqfn0i7sUpLTGh35hW3g8zl48qEmbITWbSI3jQ=; b=vU/JvRnXGP7wkMQm46joFMg5bUWFvraPrX+Pt7FOhC21OkXrsKiAFmQZAP7DoYsnX8 U5Egmjdm908NFGscVVDL4X3wV+Y7WYstsJ8SOkcDu+11RJSE3xY70ClEGwevPDJ/c3bY Hx3F47vvY0YBc5mKkMzJKFEKdDze55sDJmiH8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :content-type:content-transfer-encoding; b=UOWpOLr+Lfgjdxhw/9Z8q7nbJ62SXFeFoGN2agspNp/u1rVE1codmadIcqXtqbdY9g hQ12354RL7/ays14Fo31p7bT8VnmynYxxRJEVISeTe/UwOwDWAx9Mx1aHAiNMnMjV+5T 5E+qqIqvI1G/uCzhUpuuVWllqDIYdfO+ODX1M= Received: by 10.210.132.3 with SMTP id f3mr2515896ebd.55.1245684065906; Mon, 22 Jun 2009 08:21:05 -0700 (PDT) Received: from zoinx.mars (d133062.upc-d.chello.nl [213.46.133.62]) by mx.google.com with ESMTPS id 24sm91244eyx.53.2009.06.22.08.21.05 (version=SSLv3 cipher=RC4-MD5); Mon, 22 Jun 2009 08:21:05 -0700 (PDT) Message-ID: <4A3FBDA2.3070403@gmail.com> Date: Mon, 22 Jun 2009 19:21:38 +0200 From: Roel Kluin User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11 Thunderbird/3.0b2 MIME-Version: 1.0 To: dedekind@infradead.org Subject: [PATCH] ubi: gluebi_{read, write} len + {from, to} can exceed mtd->size X-Spam-Score: 0.0 (/) Cc: Andrew Morton , linux-mtd@lists.infradead.org X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-mtd-bounces@lists.infradead.org Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org when size_t `len' is negative it is wrapped so the test `len < 0' fails. `from' and `to' have type loff_t (signed). During the addition `len' is converted to signed. So when `len' is negative `from + len` can be less than `mtd->size' while `from' is larger than `mtd->size'. This patch fixes this. Signed-off-by: Roel Kluin --- It should be correct, but please review. diff --git a/drivers/mtd/ubi/gluebi.c b/drivers/mtd/ubi/gluebi.c index 95aaac0..093729b 100644 --- a/drivers/mtd/ubi/gluebi.c +++ b/drivers/mtd/ubi/gluebi.c @@ -173,7 +173,7 @@ static int gluebi_read(struct mtd_info *mtd, loff_t from, size_t len, int err = 0, lnum, offs, total_read; struct gluebi_device *gluebi; - if (len < 0 || from < 0 || from + len > mtd->size) + if (len > mtd->size || from < 0 || from + len > mtd->size) return -EINVAL; gluebi = container_of(mtd, struct gluebi_device, mtd); @@ -217,7 +217,7 @@ static int gluebi_write(struct mtd_info *mtd, loff_t to, size_t len, int err = 0, lnum, offs, total_written; struct gluebi_device *gluebi; - if (len < 0 || to < 0 || len + to > mtd->size) + if (len > mtd->size || to < 0 || len + to > mtd->size) return -EINVAL; gluebi = container_of(mtd, struct gluebi_device, mtd);