From patchwork Wed Sep 27 12:49:17 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Genoud X-Patchwork-Id: 819136 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=65.50.211.133; helo=bombadil.infradead.org; envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="MW9SvO3e"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=infradead.org header.i=@infradead.org header.b="KIa9uvtY"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="ksiZzucf"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3y2Hj207rHz9tXF for ; Wed, 27 Sep 2017 22:49:58 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Mime-Version:Date:To:From:Subject: Message-ID:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=luYmSDn4whEVcDG+7/FKbgssz2dndMQ0XBTRQTBnBI8=; b=MW9SvO3euzXg+5 nwuVJdpqdNFHG6QQMunvazXZA/YAcP/dztG2EV8zaK8qLp9mpgPM95g3RFnAOrkq0DjXR6vUeZjCp aidVrLCs8EW3dX9Vx7w9ppZi/jw3dcHBPV/d2il1OIfn97TJuRQm4ywkDZyF+4KZzfq0w+0oL0Tsx IUZYiO44CFI9T6bbkr84PTvXffjewlVH9PMXCm4wWdg7NJNNs22cxbFtJVtsBo4BobQBTWktdAmY2 nhSguELJ+Yk1hWsKaQND0EOiZrTdUFeJZNV4Y8RRtV5f9E39vUZfDqFDds+6Xx1o29CBJMpCu51ra 9+BctU8e6wy+54efZTnQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1dxBmf-0002tG-BB; Wed, 27 Sep 2017 12:49:49 +0000 Received: from merlin.infradead.org ([2001:8b0:10b:1231::1]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1dxBmc-0002sP-M1 for linux-mtd@bombadil.infradead.org; Wed, 27 Sep 2017 12:49:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=Content-Transfer-Encoding:Mime-Version: Content-Type:Date:Cc:To:From:Subject:Message-ID:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=WJYj0aPZPVdUxfdlqwcxxx8CKScPL5BgBHZZMnO6dqk=; b=KIa9uvtYXRSCGQEudSPoO6BeXH yzLW3qZCnZZwv/KwCswrzuWwfnSVzT4oxEKiAGqCz5OE/fFqb2s2Q9IRBh8Q+qvMH0K9HrlG7ELmg +YIc2l6LyR/SAHH6WbqAQFf+AJltjFHb+kaw6hwWwbV1eko68w/035WbUoc6Ldd1KvMvZXskUmOz6 NT+eehPHGBMm6tySSU9HR+Gqea8v028tYRE4XutgM/fYPltiMcazTZOm444+33bngndGA9jMHOUmG dEfVn4BZQmCBU9DT5oEsh2wYGohAWv1gl4SYcZJ2tIb0JICe0H0g7xjYSO5FHvQ1HqB8bKd3KYIwr mgUsBXwg==; Received: from mail-wm0-x243.google.com ([2a00:1450:400c:c09::243]) by merlin.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1dxBmY-0003yc-M2 for linux-mtd@lists.infradead.org; Wed, 27 Sep 2017 12:49:44 +0000 Received: by mail-wm0-x243.google.com with SMTP id m127so17841402wmm.3 for ; Wed, 27 Sep 2017 05:49:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=WJYj0aPZPVdUxfdlqwcxxx8CKScPL5BgBHZZMnO6dqk=; b=ksiZzucfpPjrhE1FUcy4K2BEZ5BiTTFBNTTtkKjMrt5RDhaSTt7kP46YidrVBn9D/q JIAtoLSEovMUzcOUDIzd8ycP6gq0aErGV/ZvBIvJI90esw5835YWhByzPv4NSE8eH7kV 5gDdF0/Gcrhe+ZHfieI41x7Ofi29Xs6u6lhk7rcm2fsJlB3JbubTLF2SDVETjCs9R7qn +P188heYS2bijgfrib90vW0BiGZibf/rI02Pg9mI3TgpyZXC+RLvnqmxu8nOFAZg7DJ/ Axjoy+AXUv2j6eNnXeebdAo4aK7NgNc3z4XxASfdOdyMEhH55m1XLiizG5z/uoikOxLH Etng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=WJYj0aPZPVdUxfdlqwcxxx8CKScPL5BgBHZZMnO6dqk=; b=rf/3Xn+Bvlqw/1XYwCqwa66k8C9CAGq57wA/gzchROTdb07NWC1pczAp1/+PeTLt/+ v9qI8CDm4QQATgQCQmToBG2uVlr6M2O6aFib7p+t1Q93UewkhirQdWIU7Fh5J0zbKpvY TSvWm3McnhwbaSZOmcZA1yq64dVurm9hWOfJLeouvKo80om4DVq0t1IOp/6WNqg8GTI6 rbxY7Lp3prgLQjqWkURa9Py1/uuHGfyUaJs1VMPOTB86R7lK0M1Nxlh5Orf6ObwesR0k Zf00MtOJS+qNe9MUv0+JdC/Il4PsAxTjTSrAUT5KV4Kh1EQ8nvQVpkpGQ7jJhIOS89CQ Ib4w== X-Gm-Message-State: AHPjjUiU9rey/cVc5zGRKua6PW3mNvKjpY1WgfFIVgIjuolLIHd3ClNC zhodXflt24H60gDUK1qsrkc= X-Google-Smtp-Source: AOwi7QA3+VXFTakZ/P3XTMY1RkR4ivoFTIzgFxn/NO5Ua2rm9ZEiNtt2WY+RWCFt1Oj9gziyLzWRwg== X-Received: by 10.28.101.133 with SMTP id z127mr179007wmb.123.1506516558744; Wed, 27 Sep 2017 05:49:18 -0700 (PDT) Received: from lnx-rg ([46.227.18.67]) by smtp.googlemail.com with ESMTPSA id 10sm6388818wmy.35.2017.09.27.05.49.17 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 27 Sep 2017 05:49:18 -0700 (PDT) Message-ID: <1506516557.19393.5.camel@gmail.com> Subject: [PATCH] mtd: nand: atmel: fix buffer overflow in atmel_pmecc_user From: Richard Genoud To: Boris Brezillon Date: Wed, 27 Sep 2017 14:49:17 +0200 X-Mailer: Evolution 3.22.6-1 Mime-Version: 1.0 X-Spam-Note: CRM114 invocation failed X-Spam-Score: -2.0 (--) X-Spam-Report: SpamAssassin version 3.4.1 on merlin.infradead.org summary: Content analysis details: (-2.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:400c:c09:0:0:0:243 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (richard.genoud[at]gmail.com) -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Richard Genoud , linux-mtd , Nicolas Ferre , Linux Kernel Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org When calculating the size needed by struct atmel_pmecc_user *user, the dmu and delta buffer sizes were forgotten. This lead to a memory corruption (especially with a large ecc_strength). Link: http://lkml.kernel.org/r/1506503157.3016.5.camel@gmail.com Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") Cc: Nicolas Ferre Cc: stable@vger.kernel.org Reported-by: Richard Genoud Pointed-at-by: Boris Brezillon Signed-off-by: Richard Genoud Reviewed-by: Nicolas Ferre --- drivers/mtd/nand/atmel/pmecc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/atmel/pmecc.c b/drivers/mtd/nand/atmel/pmecc.c index 146af8218314..8268636675ef 100644 --- a/drivers/mtd/nand/atmel/pmecc.c +++ b/drivers/mtd/nand/atmel/pmecc.c @@ -363,7 +363,7 @@ atmel_pmecc_create_user(struct atmel_pmecc *pmecc, size += (req->ecc.strength + 1) * sizeof(u16); /* Reserve space for mu, dmu and delta. */ size = ALIGN(size, sizeof(s32)); - size += (req->ecc.strength + 1) * sizeof(s32); + size += (req->ecc.strength + 1) * sizeof(s32) * 3; user = kzalloc(size, GFP_KERNEL); if (!user)