From patchwork Tue Jul 22 02:08:13 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brian Norris X-Patchwork-Id: 372334 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4E4B51400F1 for ; Tue, 22 Jul 2014 12:09:40 +1000 (EST) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1X9PVX-0000YM-Sz; Tue, 22 Jul 2014 02:08:47 +0000 Received: from mail-pa0-x236.google.com ([2607:f8b0:400e:c03::236]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1X9PVV-0008VB-9u for linux-mtd@lists.infradead.org; Tue, 22 Jul 2014 02:08:45 +0000 Received: by mail-pa0-f54.google.com with SMTP id fa1so10879722pad.41 for ; Mon, 21 Jul 2014 19:08:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=hcquyu832XaPVywmBSpd590PDIE55GaQma8gplMwCog=; b=RJptKE+nsmYi7Dmdlz6l2Vt/aTFAA9QrSts0TwkxGpTGrOTw8722NjLCCgpsPVJdlE XHZEibdm7O9Ul3SRATpmtu6mHjumYE3SfLT6Mp8K5uYK26K89xmH9/oKQFcV8wmg1jsi /b9XlgTCCHF5DSVFPBs+jk388Qn9klLUfM4ysKPeJre7VKl5//CeR8o/wL+iSY8pdqrW TT1SNbp1GrZ2EJWpdYn0Tm/bQO3Cj8wyTggyGmqkefXH/z5Mei1vkUBE1bqytKrwRKjU ywtVmXrCd5navz/cTSoP9LmdKT7L+k6PbW3YSjlY8sXFaDx88VCKwHNrQGCQM68h6R6J 3PmA== X-Received: by 10.66.65.225 with SMTP id a1mr528446pat.139.1405994904918; Mon, 21 Jul 2014 19:08:24 -0700 (PDT) Received: from ld-irv-0074.broadcom.com (5520-maca-inet1-outside.broadcom.com. [216.31.211.11]) by mx.google.com with ESMTPSA id nq15sm21005475pdb.65.2014.07.21.19.08.23 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 21 Jul 2014 19:08:24 -0700 (PDT) From: Brian Norris To: Subject: [PATCH] mtd: terminate user-provided string Date: Mon, 21 Jul 2014 19:08:13 -0700 Message-Id: <1405994893-19649-1-git-send-email-computersforpeace@gmail.com> X-Mailer: git-send-email 1.9.1 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20140721_190845_410062_E6E60EC5 X-CRM114-Status: UNSURE ( 8.25 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.8 (/) X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary: Content analysis details: (-0.8 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2607:f8b0:400e:c03:0:0:0:236 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (computersforpeace[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain Cc: Brian Norris , Ezequiel Garcia X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Noticed by Coverity as a potential security issue. Signed-off-by: Brian Norris --- Untested for now. Maybe I'll scrape together a test before applying, then it'd be worth sending -stable. drivers/mtd/mtdchar.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c index a0f54e80670c..53563955931b 100644 --- a/drivers/mtd/mtdchar.c +++ b/drivers/mtd/mtdchar.c @@ -549,6 +549,9 @@ static int mtdchar_blkpg_ioctl(struct mtd_info *mtd, if (mtd_is_partition(mtd)) return -EINVAL; + /* Sanitize user input */ + p.devname[BLKPG_DEVNAMELTH - 1] = '\0'; + return mtd_add_partition(mtd, p.devname, p.start, p.length); case BLKPG_DEL_PARTITION: