From patchwork Fri Mar 17 02:29:39 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: chenwy X-Patchwork-Id: 740093 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3vkq7b6RdLz9ryT for ; Fri, 17 Mar 2017 13:30:19 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="BgkUcP35"; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:To :From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=Pe7R0fsX6o9Dk16CfPOs25gI+/tdAHOwoZafq8b9XZk=; b=BgkUcP355Qwtqs yte4kiaEIhBHEV1UlXD3pZjV3jziu7O1KA6cJGXnA2wVWh4Hyrrr5S6ti+KEjA+KouWKUkRazQkCK PPAq0XlGGWDdslTUxJlWEsM/7KUsSaMIugvFfK0zHG40frJVLczVcGRVYnESN7fF9e/z76InOz3WH IuRk0pykymkCGo16mGAEIzouMfOD6ugSgfILmAXXWKWt3gn1uDrdsdJvCaXnlNlFoCrmsOIwP5ZQl 9L0GML66S+/9p6wwH7igC++rpID9rCfmXyA6BN/VrvVFD6SR56eTzmixlorEdmemyvb7I1+X8i2Jr 31uMuw/q1vCOrU9kuKaQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1coheh-0007hU-DH; Fri, 17 Mar 2017 02:30:15 +0000 Received: from [59.151.112.132] (helo=heian.cn.fujitsu.com) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1cohed-0006Sn-Pq for linux-mtd@lists.infradead.org; Fri, 17 Mar 2017 02:30:13 +0000 X-IronPort-AV: E=Sophos;i="5.22,518,1449504000"; d="scan'208";a="16675833" Received: from unknown (HELO cn.fujitsu.com) ([10.167.33.5]) by heian.cn.fujitsu.com with ESMTP; 17 Mar 2017 10:29:44 +0800 Received: from G08CNEXCHPEKD01.g08.fujitsu.local (unknown [10.167.33.80]) by cn.fujitsu.com (Postfix) with ESMTP id 685E848A2975; Fri, 17 Mar 2017 10:29:45 +0800 (CST) Received: from chenwy.g08.fujitsu.local (10.167.226.38) by G08CNEXCHPEKD01.g08.fujitsu.local (10.167.33.89) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 17 Mar 2017 10:29:42 +0800 From: chenwy To: Subject: [PATCH v2] mtdram: check offs and len where appropriate Date: Fri, 17 Mar 2017 10:29:39 +0800 Message-ID: <20170317022939.5511-1-chenwy-fnst@cn.fujitsu.com> X-Mailer: git-send-email 2.9.3 MIME-Version: 1.0 X-Originating-IP: [10.167.226.38] X-yoursite-MailScanner-ID: 685E848A2975.A477A X-yoursite-MailScanner: Found to be clean X-yoursite-MailScanner-From: chenwy-fnst@cn.fujitsu.com X-Spam-Status: No X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170316_193012_134158_81D2EDD8 X-CRM114-Status: UNSURE ( 5.90 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -1.1 (-) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-1.1 points) pts rule name description ---- ---------------------- -------------------------------------------------- -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: fnstml-fjl@cn.fujitsu.com, linux-kernel@vger.kernel.org, chenwy Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org We should prevent user to operating mtd device with an illegal offset or length. Signed-off-by: Chen Wenyong --- drivers/mtd/devices/mtdram.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/drivers/mtd/devices/mtdram.c b/drivers/mtd/devices/mtdram.c index cbd8547..83e1603 100644 --- a/drivers/mtd/devices/mtdram.c +++ b/drivers/mtd/devices/mtdram.c @@ -58,6 +58,10 @@ static int ram_erase(struct mtd_info *mtd, struct erase_info *instr) { if (check_offs_len(mtd, instr->addr, instr->len)) return -EINVAL; + if (mtd->size < (instr->len + instr->addr) || instr->addr < 0 + || instr->len < 0) + return -EINVAL; + memset((char *)mtd->priv + instr->addr, 0xff, instr->len); instr->state = MTD_ERASE_DONE; mtd_erase_callback(instr); @@ -67,6 +71,9 @@ static int ram_erase(struct mtd_info *mtd, struct erase_info *instr) static int ram_point(struct mtd_info *mtd, loff_t from, size_t len, size_t *retlen, void **virt, resource_size_t *phys) { + if (mtd->size < (len + from) || from < 0 || len < 0) + return -EINVAL; + *virt = mtd->priv + from; *retlen = len; return 0; @@ -74,6 +81,9 @@ static int ram_point(struct mtd_info *mtd, loff_t from, size_t len, static int ram_unpoint(struct mtd_info *mtd, loff_t from, size_t len) { + if (mtd->size < (len + from) || from < 0 || len < 0) + return -EINVAL; + return 0; } @@ -93,6 +103,9 @@ static unsigned long ram_get_unmapped_area(struct mtd_info *mtd, static int ram_read(struct mtd_info *mtd, loff_t from, size_t len, size_t *retlen, u_char *buf) { + if (mtd->size < (len + from) || from < 0 || len < 0) + return -EINVAL; + memcpy(buf, mtd->priv + from, len); *retlen = len; return 0; @@ -101,6 +114,9 @@ static int ram_read(struct mtd_info *mtd, loff_t from, size_t len, static int ram_write(struct mtd_info *mtd, loff_t to, size_t len, size_t *retlen, const u_char *buf) { + if (mtd->size < (len + to) || to < 0 || len < 0) + return -EINVAL; + memcpy((char *)mtd->priv + to, buf, len); *retlen = len; return 0;