From: Richard Weinberger <richard@nod.at> To: "Michał Kępień" <kernel@kempniu.pl> Cc: Miquel Raynal <miquel.raynal@bootlin.com>, Vignesh Raghavendra <vigneshr@ti.com>, linux-mtd <linux-mtd@lists.infradead.org>, linux-kernel <linux-kernel@vger.kernel.org> Subject: Re: [PATCH 1/2] mtdchar: prevent integer overflow in a safety check Date: Tue, 7 Jun 2022 22:23:12 +0200 (CEST) [thread overview] Message-ID: <1710081060.147491.1654633392520.JavaMail.zimbra@nod.at> (raw) In-Reply-To: <20220516070601.11428-2-kernel@kempniu.pl> ----- Ursprüngliche Mail ----- > Von: "Michał Kępień" <kernel@kempniu.pl> > An: "Miquel Raynal" <miquel.raynal@bootlin.com>, "richard" <richard@nod.at>, "Vignesh Raghavendra" <vigneshr@ti.com> > CC: "linux-mtd" <linux-mtd@lists.infradead.org>, "linux-kernel" <linux-kernel@vger.kernel.org> > Gesendet: Montag, 16. Mai 2022 09:06:00 > Betreff: [PATCH 1/2] mtdchar: prevent integer overflow in a safety check > Commit 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE > ioctl") added a safety check to mtdchar_write_ioctl() which attempts to > ensure that the write request sent by user space does not extend beyond > the MTD device's size. However, that check contains an addition of two > struct mtd_write_req fields, 'start' and 'len', both of which are u64 > variables. The result of that addition can overflow, allowing the > safety check to be bypassed. > > The arguably simplest fix - changing the data types of the relevant > struct mtd_write_req fields - is not feasible as it would break user > space. > > Fix by making mtdchar_write_ioctl() truncate the value provided by user > space in the 'len' field of struct mtd_write_req, so that only the lower > 32 bits of that field are used, preventing the overflow. > > While the 'ooblen' field of struct mtd_write_req is not currently used > in any similarly flawed safety check, also truncate it to 32 bits, for > consistency with the 'len' field and with other MTD routines handling > OOB data. > > Update include/uapi/mtd/mtd-abi.h accordingly. > > Suggested-by: Richard Weinberger <richard@nod.at> > Signed-off-by: Michał Kępień <kernel@kempniu.pl> > --- > drivers/mtd/mtdchar.c | 3 +++ > include/uapi/mtd/mtd-abi.h | 4 ++-- > 2 files changed, 5 insertions(+), 2 deletions(-) > > diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c > index d0f9c4b0285c..b2700f8467ff 100644 > --- a/drivers/mtd/mtdchar.c > +++ b/drivers/mtd/mtdchar.c > @@ -615,6 +615,9 @@ static int mtdchar_write_ioctl(struct mtd_info *mtd, > if (!usr_oob) > req.ooblen = 0; > > + req.len &= 0xffffffff; > + req.ooblen &= 0xffffffff; > + Yeah, I think it is reasonable to limit write requests to 4GiB. Thanks, //richard ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/
WARNING: multiple messages have this Message-ID (diff)
From: Richard Weinberger <richard@nod.at> To: "Michał Kępień" <kernel@kempniu.pl> Cc: Miquel Raynal <miquel.raynal@bootlin.com>, Vignesh Raghavendra <vigneshr@ti.com>, linux-mtd <linux-mtd@lists.infradead.org>, linux-kernel <linux-kernel@vger.kernel.org> Subject: Re: [PATCH 1/2] mtdchar: prevent integer overflow in a safety check Date: Tue, 7 Jun 2022 22:23:12 +0200 (CEST) [thread overview] Message-ID: <1710081060.147491.1654633392520.JavaMail.zimbra@nod.at> (raw) In-Reply-To: <20220516070601.11428-2-kernel@kempniu.pl> ----- Ursprüngliche Mail ----- > Von: "Michał Kępień" <kernel@kempniu.pl> > An: "Miquel Raynal" <miquel.raynal@bootlin.com>, "richard" <richard@nod.at>, "Vignesh Raghavendra" <vigneshr@ti.com> > CC: "linux-mtd" <linux-mtd@lists.infradead.org>, "linux-kernel" <linux-kernel@vger.kernel.org> > Gesendet: Montag, 16. Mai 2022 09:06:00 > Betreff: [PATCH 1/2] mtdchar: prevent integer overflow in a safety check > Commit 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE > ioctl") added a safety check to mtdchar_write_ioctl() which attempts to > ensure that the write request sent by user space does not extend beyond > the MTD device's size. However, that check contains an addition of two > struct mtd_write_req fields, 'start' and 'len', both of which are u64 > variables. The result of that addition can overflow, allowing the > safety check to be bypassed. > > The arguably simplest fix - changing the data types of the relevant > struct mtd_write_req fields - is not feasible as it would break user > space. > > Fix by making mtdchar_write_ioctl() truncate the value provided by user > space in the 'len' field of struct mtd_write_req, so that only the lower > 32 bits of that field are used, preventing the overflow. > > While the 'ooblen' field of struct mtd_write_req is not currently used > in any similarly flawed safety check, also truncate it to 32 bits, for > consistency with the 'len' field and with other MTD routines handling > OOB data. > > Update include/uapi/mtd/mtd-abi.h accordingly. > > Suggested-by: Richard Weinberger <richard@nod.at> > Signed-off-by: Michał Kępień <kernel@kempniu.pl> > --- > drivers/mtd/mtdchar.c | 3 +++ > include/uapi/mtd/mtd-abi.h | 4 ++-- > 2 files changed, 5 insertions(+), 2 deletions(-) > > diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c > index d0f9c4b0285c..b2700f8467ff 100644 > --- a/drivers/mtd/mtdchar.c > +++ b/drivers/mtd/mtdchar.c > @@ -615,6 +615,9 @@ static int mtdchar_write_ioctl(struct mtd_info *mtd, > if (!usr_oob) > req.ooblen = 0; > > + req.len &= 0xffffffff; > + req.ooblen &= 0xffffffff; > + Yeah, I think it is reasonable to limit write requests to 4GiB. Thanks, //richard
next prev parent reply other threads:[~2022-06-07 20:23 UTC|newest] Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-05-16 7:05 [PATCH 0/2] mtdchar_write_ioctl(): prevent integer overflow, use kvmalloc() Michał Kępień 2022-05-16 7:05 ` Michał Kępień 2022-05-16 7:06 ` [PATCH 1/2] mtdchar: prevent integer overflow in a safety check Michał Kępień 2022-05-16 7:06 ` Michał Kępień 2022-06-07 20:23 ` Richard Weinberger [this message] 2022-06-07 20:23 ` Richard Weinberger 2022-06-09 13:10 ` Miquel Raynal 2022-06-09 13:10 ` Miquel Raynal 2022-05-16 7:06 ` [PATCH 2/2] mtdchar: use kvmalloc() for potentially large allocations Michał Kępień 2022-05-16 7:06 ` Michał Kępień 2022-06-07 20:30 ` Richard Weinberger 2022-06-07 20:30 ` Richard Weinberger 2022-06-09 13:10 ` Miquel Raynal 2022-06-09 13:10 ` Miquel Raynal
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1710081060.147491.1654633392520.JavaMail.zimbra@nod.at \ --to=richard@nod.at \ --cc=kernel@kempniu.pl \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mtd@lists.infradead.org \ --cc=miquel.raynal@bootlin.com \ --cc=vigneshr@ti.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.