From patchwork Wed Sep  8 19:39:56 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dan Carpenter <error27@gmail.com>
X-Patchwork-Id: 64201
Return-Path: 
 <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from bombadil.infradead.org (bombadil.infradead.org [18.85.46.34])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id 9737FB6EFE
	for <incoming@patchwork.ozlabs.org>;
	Thu,  9 Sep 2010 05:42:52 +1000 (EST)
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.72 #1 (Red Hat Linux))
	id 1OtQVP-0005Ao-Ve; Wed, 08 Sep 2010 19:40:27 +0000
Received: from mail-qy0-f177.google.com ([209.85.216.177])
	by bombadil.infradead.org with esmtp (Exim 4.72 #1 (Red Hat Linux))
	id 1OtQVK-00059r-9k
	for linux-mtd@lists.infradead.org; Wed, 08 Sep 2010 19:40:26 +0000
Received: by qyk8 with SMTP id 8so479950qyk.15
	for <linux-mtd@lists.infradead.org>;
	Wed, 08 Sep 2010 12:40:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:date:from:to:cc:subject
	:message-id:mail-followup-to:mime-version:content-type
	:content-disposition:user-agent;
	bh=VZClyD53XpN8RVwfqTWjGxVfXIntzUgK2Fszg9ZdvtA=;
	b=sGQER4c5d4Y7ycnZii9v0vVwmIfLML/9YUfyYVzu1tOnxzgLjjUS0rCAaZlcx0nAYi
	BWnwtL5Xo/fSHEVgz6fLGGZ9k0Ft6fdgkIYHuMVbD0DVEhLfld6ISD8I95CyAMJ9ulU8
	G9RF0iHJVyEOg5rMtuUvQye10F7caqShXuCcQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=date:from:to:cc:subject:message-id:mail-followup-to:mime-version
	:content-type:content-disposition:user-agent;
	b=au+WifgHT5r7sdx/M4Ke6Me0r16lu3BGFKvLePhhnFgp2/NalEMxSn5EhukVLgkK7k
	oeyg2O8sZB7fxjpmY1USu1ERwKNYKUVJiXhNiU3XpAq8coQOcShAuv//9/DZWBpjmerr
	aUXJ6sVrtf15+e88pzsH8qJsoqYWuYUhsWKNk=
Received: by 10.224.36.12 with SMTP id r12mr525762qad.224.1283974821164;
	Wed, 08 Sep 2010 12:40:21 -0700 (PDT)
Received: from bicker ([41.205.146.22])
	by mx.google.com with ESMTPS id f15sm405854qcr.1.2010.09.08.12.40.08
	(version=TLSv1/SSLv3 cipher=RC4-MD5);
	Wed, 08 Sep 2010 12:40:20 -0700 (PDT)
Date: Wed, 8 Sep 2010 21:39:56 +0200
From: Dan Carpenter <error27@gmail.com>
To: David Woodhouse <dwmw2@infradead.org>
Subject: [patch] mtd: sanity check input
Message-ID: <20100908193956.GB3463@bicker>
Mail-Followup-To: Dan Carpenter <error27@gmail.com>,
	David Woodhouse <dwmw2@infradead.org>,
	Artem Bityutskiy <Artem.Bityutskiy@nokia.com>,
	Ben Hutchings <bhutchings@solarflare.com>,
	H Hartley Sweeten <hsweeten@visionengravers.com>,
	"Kirill A. Shutemov" <kirill@shutemov.name>,
	linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org,
	kernel-janitors@vger.kernel.org
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
X-CRM114-Version: 20090807-BlameThorstenAndJenny ( TRE 0.7.6 (BSD) )
	MR-646709E3
X-CRM114-CacheID: sfid-20100908_154022_414620_5F2529B6 
X-CRM114-Status: GOOD (  15.73  )
X-Spam-Score: 4.0 (++++)
X-Spam-Report: SpamAssassin version 3.3.1 on bombadil.infradead.org summary:
	Content analysis details:   (4.0 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
	bl.spamcop.net
	[Blocked - see <http://www.spamcop.net/bl.shtml?41.205.146.22>]
	0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server
	[41.205.146.22 listed in dnsbl.sorbs.net]
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/,
	low trust [209.85.216.177 listed in list.dnswl.org]
	0.0 FREEMAIL_FROM Sender email is freemail (error27[at]gmail.com)
	2.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends
	in digit (error27[at]gmail.com)
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
Cc: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>,
	kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org,
	H Hartley Sweeten <hsweeten@visionengravers.com>,
	linux-mtd@lists.infradead.org,
	Ben Hutchings <bhutchings@solarflare.com>,
	"Kirill A. Shutemov" <kirill@shutemov.name>
X-BeenThere: linux-mtd@lists.infradead.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Linux MTD discussion mailing list <linux-mtd.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-mtd/>
List-Post: <mailto:linux-mtd@lists.infradead.org>
List-Help: <mailto:linux-mtd-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=subscribe>
Sender: linux-mtd-bounces@lists.infradead.org
Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

If "ur_idx" is wrong we could go past the end of the array.  The
"ur_idx" comes from root so it's not a huge deal, but adding a sanity
check makes the code more robust.

Signed-off-by: Dan Carpenter <error27@gmail.com>

diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
index a825002..9c00549 100644
--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -513,6 +513,9 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg)
 		if (get_user(ur_idx, &(ur->regionindex)))
 			return -EFAULT;
 
+		if (ur_idx >= mtd->numeraseregions)
+			return -EINVAL;
+
 		kr = &(mtd->eraseregions[ur_idx]);
 
 		if (put_user(kr->offset, &(ur->offset))