From patchwork Tue Feb 21 08:00:10 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: 
 =?utf-8?b?UGV0ZXIgUGFuIOa9mOagiyAocGV0ZXJwYW5kb25nKQ==?=
 <peterpandong@micron.com>
X-Patchwork-Id: 730356
X-Patchwork-Delegate: boris.brezillon@free-electrons.com
Return-Path: 
 <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from bombadil.infradead.org (bombadil.infradead.org
	[65.50.211.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3vSCW16Q1Tz9s3s
	for <incoming@patchwork.ozlabs.org>;
	Tue, 21 Feb 2017 18:56:29 +1100 (AEDT)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="PqHXOCxH";
	dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=g9zV+nwpfm+n4vl9DETs/X51KqeHC0ettwPDkUGHJBE=;
	b=PqHXOCxHm7qN8q
	iGG92xFIuL7bs7DL9Z1Qu6efTWw18rrwZ2gtKHt9MtrfryxnG1y0/OH1SrAo93Dhf/08xBz5T9X4p
	yxgiuc1VoN7imxw+ZPbyJ7XVB8U6815VSazB9CzP4zFlfVYY2SMBEiLulKIV42HxILa0Lm73gRXGf
	rIlyGNQ+CaZ5zjzTuHbw1+NvQs/n5J3QYbGXkQTgMDvjvuE1Mx5h8Ojmurf1Q25XjKsoWzk2rA3E5
	OfNzlo8ZyEMufSmU3aD9uuB0k79cYJZCtlo8XrmNuWvO+SIBKJg1cFOdNWqNgdUIMcsdrmTSvBBXa
	YKA34tj6ybbUtOTIljzg==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux))
	id 1cg5J8-0004nn-Mn; Tue, 21 Feb 2017 07:56:22 +0000
Received: from mailout.micron.com ([137.201.242.129])
	by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux))
	id 1cg5DB-0007vi-2v
	for linux-mtd@lists.infradead.org; Tue, 21 Feb 2017 07:50:14 +0000
Received: from mail.micron.com (bowex17c.micron.com [137.201.21.211])
	by mailout.micron.com (8.14.4/8.14.6) with ESMTP id v1L7nkog000435;
	Tue, 21 Feb 2017 00:49:46 -0700
Received: from SIWEX5A.sing.micron.com (10.160.29.59) by bowex17c.micron.com
	(137.201.21.211) with Microsoft SMTP Server (TLS) id 15.0.1178.4;
	Tue, 21 Feb 2017 00:49:45 -0700
Received: from bowex17e.micron.com (137.201.21.213) by
	SIWEX5A.sing.micron.com
	(10.160.29.59) with Microsoft SMTP Server (TLS) id 15.0.1178.4;
	Tue, 21 Feb 2017 15:49:42 +0800
Received: from peterpan-Linux-Desktop.micron.com (10.66.12.56) by
	bowex17e.micron.com (137.201.21.213) with Microsoft SMTP Server id
	15.0.1178.4 via Frontend Transport; Tue, 21 Feb 2017 00:49:40 -0700
From: Peter Pan <peterpandong@micron.com>
To: <boris.brezillon@free-electrons.com>, <richard@nod.at>,
	<computersforpeace@gmail.com>, <linux-mtd@lists.infradead.org>
Subject: [PATCH 11/11] nand: spi: Add arguments check for read/write
Date: Tue, 21 Feb 2017 16:00:10 +0800
Message-ID: <1487664010-25926-12-git-send-email-peterpandong@micron.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1487664010-25926-1-git-send-email-peterpandong@micron.com>
References: <1487664010-25926-1-git-send-email-peterpandong@micron.com>
MIME-Version: 1.0
X-TM-AS-Product-Ver: SMEX-12.0.0.1464-8.100.1062-22898.003
X-TM-AS-Result: No--3.996700-0.000000-31
X-TM-AS-MatchedID: 105250-700398-863432-188019-706290-700057-708712-703529-7
	00264-851458-703399-105040-148004-148036-42000-42003
X-TM-AS-User-Approved-Sender: Yes
X-TM-AS-User-Blocked-Sender: No
X-MT-CheckInternalSenderRule: True
X-Scanned-By: MIMEDefang 2.78 on 137.201.82.98
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20170220_235013_224743_90DD3E5A 
X-CRM114-Status: GOOD (  10.36  )
X-Spam-Score: -4.2 (----)
X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary:
	Content analysis details:   (-4.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
	medium trust [137.201.242.129 listed in list.dnswl.org]
	-0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay
	domain
	-0.0 SPF_PASS               SPF: sender matches SPF record
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	[score: 0.0000]
X-BeenThere: linux-mtd@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: Linux MTD discussion mailing list <linux-mtd.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-mtd/>
List-Post: <mailto:linux-mtd@lists.infradead.org>
List-Help: <mailto:linux-mtd-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=subscribe>
Cc: peterpansjtu@gmail.com, linshunquan1@hisilicon.com,
	peterpandong@micron.com
Sender: "linux-mtd" <linux-mtd-bounces@lists.infradead.org>
Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Check offset and length in spi_nand_do_read_ops and
spi_nand_do_write_ops.

Signed-off-by: Peter Pan <peterpandong@micron.com>
---
 drivers/mtd/nand/spi/spi-nand-base.c | 44 ++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/drivers/mtd/nand/spi/spi-nand-base.c b/drivers/mtd/nand/spi/spi-nand-base.c
index 5ac4b26..c7616d6 100644
--- a/drivers/mtd/nand/spi/spi-nand-base.c
+++ b/drivers/mtd/nand/spi/spi-nand-base.c
@@ -685,6 +685,7 @@ static int spi_nand_do_read_ops(struct mtd_info *mtd, loff_t from,
 			  struct mtd_oob_ops *ops)
 {
 	struct spi_nand_chip *chip = mtd_to_spi_nand(mtd);
+	struct nand_device *nand = mtd_to_nand(mtd);
 	int ret;
 	struct mtd_ecc_stats stats;
 	unsigned int max_bitflips = 0;
@@ -693,7 +694,24 @@ static int spi_nand_do_read_ops(struct mtd_info *mtd, loff_t from,
 	int ooblen = ops->mode == MTD_OPS_AUTO_OOB ?
 		mtd->oobavail : mtd->oobsize;
 
+	if (unlikely(from >= mtd->size)) {
+		pr_err("%s: attempt to read beyond end of device\n",
+				__func__);
+		return -EINVAL;
+	}
 	if (oobreadlen > 0) {
+		if (unlikely(ops->ooboffs >= ooblen)) {
+			pr_err("%s: attempt to start read outside oob\n",
+					__func__);
+			return -EINVAL;
+		}
+		if (unlikely(ops->ooboffs + oobreadlen >
+		(nand_len_to_pages(nand, mtd->size) - nand_offs_to_page(nand, from))
+		* ooblen)) {
+			pr_err("%s: attempt to read beyond end of device\n",
+					__func__);
+			return -EINVAL;
+		}
 		ooblen -= ops->ooboffs;
 		ops->oobretlen = 0;
 	}
@@ -789,12 +807,38 @@ static int spi_nand_do_write_ops(struct mtd_info *mtd, loff_t to,
 		mtd->oobavail : mtd->oobsize;
 	bool ecc_off = ops->mode == MTD_OPS_RAW;
 
+	/* Do not allow reads past end of device */
+	if (unlikely(to >= mtd->size)) {
+		pr_err("%s: attempt to write beyond end of device\n",
+				__func__);
+		return -EINVAL;
+	}
+
 	page_addr = nand_offs_to_page(nand, to);
 	page_offset = to & (nand_page_size(nand) - 1);
 	ops->retlen = 0;
 
 	/* for oob */
 	if (oobwritelen > 0) {
+		/* Do not allow write past end of page */
+		if ((ops->ooboffs + oobwritelen) > ooblen) {
+			pr_err("%s: attempt to write past end of page\n",
+					__func__);
+			return -EINVAL;
+		}
+
+		if (unlikely(ops->ooboffs >= ooblen)) {
+			pr_err("%s: attempt to start write outside oob\n",
+					__func__);
+			return -EINVAL;
+		}
+		if (unlikely(ops->ooboffs + oobwritelen >
+		(nand_len_to_pages(nand, mtd->size) - nand_offs_to_page(nand, to))
+			* ooblen)) {
+			pr_err("%s: attempt to write beyond end of device\n",
+					__func__);
+			return -EINVAL;
+		}
 		ooblen -= ops->ooboffs;
 		ops->oobretlen = 0;
 	}