From: Richard Weinberger <richard@nod.at>
To: "Michał Kępień" <kernel@kempniu.pl>
Cc: Miquel Raynal <miquel.raynal@bootlin.com>,
Vignesh Raghavendra <vigneshr@ti.com>,
linux-mtd <linux-mtd@lists.infradead.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/2] mtdchar: prevent integer overflow in a safety check
Date: Tue, 7 Jun 2022 22:23:12 +0200 (CEST) [thread overview]
Message-ID: <1710081060.147491.1654633392520.JavaMail.zimbra@nod.at> (raw)
In-Reply-To: <20220516070601.11428-2-kernel@kempniu.pl>
----- Ursprüngliche Mail -----
> Von: "Michał Kępień" <kernel@kempniu.pl>
> An: "Miquel Raynal" <miquel.raynal@bootlin.com>, "richard" <richard@nod.at>, "Vignesh Raghavendra" <vigneshr@ti.com>
> CC: "linux-mtd" <linux-mtd@lists.infradead.org>, "linux-kernel" <linux-kernel@vger.kernel.org>
> Gesendet: Montag, 16. Mai 2022 09:06:00
> Betreff: [PATCH 1/2] mtdchar: prevent integer overflow in a safety check
> Commit 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE
> ioctl") added a safety check to mtdchar_write_ioctl() which attempts to
> ensure that the write request sent by user space does not extend beyond
> the MTD device's size. However, that check contains an addition of two
> struct mtd_write_req fields, 'start' and 'len', both of which are u64
> variables. The result of that addition can overflow, allowing the
> safety check to be bypassed.
>
> The arguably simplest fix - changing the data types of the relevant
> struct mtd_write_req fields - is not feasible as it would break user
> space.
>
> Fix by making mtdchar_write_ioctl() truncate the value provided by user
> space in the 'len' field of struct mtd_write_req, so that only the lower
> 32 bits of that field are used, preventing the overflow.
>
> While the 'ooblen' field of struct mtd_write_req is not currently used
> in any similarly flawed safety check, also truncate it to 32 bits, for
> consistency with the 'len' field and with other MTD routines handling
> OOB data.
>
> Update include/uapi/mtd/mtd-abi.h accordingly.
>
> Suggested-by: Richard Weinberger <richard@nod.at>
> Signed-off-by: Michał Kępień <kernel@kempniu.pl>
> ---
> drivers/mtd/mtdchar.c | 3 +++
> include/uapi/mtd/mtd-abi.h | 4 ++--
> 2 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
> index d0f9c4b0285c..b2700f8467ff 100644
> --- a/drivers/mtd/mtdchar.c
> +++ b/drivers/mtd/mtdchar.c
> @@ -615,6 +615,9 @@ static int mtdchar_write_ioctl(struct mtd_info *mtd,
> if (!usr_oob)
> req.ooblen = 0;
>
> + req.len &= 0xffffffff;
> + req.ooblen &= 0xffffffff;
> +
Yeah, I think it is reasonable to limit write requests to 4GiB.
Thanks,
//richard
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
WARNING: multiple messages have this Message-ID (diff)
From: Richard Weinberger <richard@nod.at>
To: "Michał Kępień" <kernel@kempniu.pl>
Cc: Miquel Raynal <miquel.raynal@bootlin.com>,
Vignesh Raghavendra <vigneshr@ti.com>,
linux-mtd <linux-mtd@lists.infradead.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/2] mtdchar: prevent integer overflow in a safety check
Date: Tue, 7 Jun 2022 22:23:12 +0200 (CEST) [thread overview]
Message-ID: <1710081060.147491.1654633392520.JavaMail.zimbra@nod.at> (raw)
In-Reply-To: <20220516070601.11428-2-kernel@kempniu.pl>
----- Ursprüngliche Mail -----
> Von: "Michał Kępień" <kernel@kempniu.pl>
> An: "Miquel Raynal" <miquel.raynal@bootlin.com>, "richard" <richard@nod.at>, "Vignesh Raghavendra" <vigneshr@ti.com>
> CC: "linux-mtd" <linux-mtd@lists.infradead.org>, "linux-kernel" <linux-kernel@vger.kernel.org>
> Gesendet: Montag, 16. Mai 2022 09:06:00
> Betreff: [PATCH 1/2] mtdchar: prevent integer overflow in a safety check
> Commit 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE
> ioctl") added a safety check to mtdchar_write_ioctl() which attempts to
> ensure that the write request sent by user space does not extend beyond
> the MTD device's size. However, that check contains an addition of two
> struct mtd_write_req fields, 'start' and 'len', both of which are u64
> variables. The result of that addition can overflow, allowing the
> safety check to be bypassed.
>
> The arguably simplest fix - changing the data types of the relevant
> struct mtd_write_req fields - is not feasible as it would break user
> space.
>
> Fix by making mtdchar_write_ioctl() truncate the value provided by user
> space in the 'len' field of struct mtd_write_req, so that only the lower
> 32 bits of that field are used, preventing the overflow.
>
> While the 'ooblen' field of struct mtd_write_req is not currently used
> in any similarly flawed safety check, also truncate it to 32 bits, for
> consistency with the 'len' field and with other MTD routines handling
> OOB data.
>
> Update include/uapi/mtd/mtd-abi.h accordingly.
>
> Suggested-by: Richard Weinberger <richard@nod.at>
> Signed-off-by: Michał Kępień <kernel@kempniu.pl>
> ---
> drivers/mtd/mtdchar.c | 3 +++
> include/uapi/mtd/mtd-abi.h | 4 ++--
> 2 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
> index d0f9c4b0285c..b2700f8467ff 100644
> --- a/drivers/mtd/mtdchar.c
> +++ b/drivers/mtd/mtdchar.c
> @@ -615,6 +615,9 @@ static int mtdchar_write_ioctl(struct mtd_info *mtd,
> if (!usr_oob)
> req.ooblen = 0;
>
> + req.len &= 0xffffffff;
> + req.ooblen &= 0xffffffff;
> +
Yeah, I think it is reasonable to limit write requests to 4GiB.
Thanks,
//richard
next prev parent reply other threads:[~2022-06-07 20:23 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-16 7:05 [PATCH 0/2] mtdchar_write_ioctl(): prevent integer overflow, use kvmalloc() Michał Kępień
2022-05-16 7:05 ` Michał Kępień
2022-05-16 7:06 ` [PATCH 1/2] mtdchar: prevent integer overflow in a safety check Michał Kępień
2022-05-16 7:06 ` Michał Kępień
2022-06-07 20:23 ` Richard Weinberger [this message]
2022-06-07 20:23 ` Richard Weinberger
2022-06-09 13:10 ` Miquel Raynal
2022-06-09 13:10 ` Miquel Raynal
2022-05-16 7:06 ` [PATCH 2/2] mtdchar: use kvmalloc() for potentially large allocations Michał Kępień
2022-05-16 7:06 ` Michał Kępień
2022-06-07 20:30 ` Richard Weinberger
2022-06-07 20:30 ` Richard Weinberger
2022-06-09 13:10 ` Miquel Raynal
2022-06-09 13:10 ` Miquel Raynal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1710081060.147491.1654633392520.JavaMail.zimbra@nod.at \
--to=richard@nod.at \
--cc=kernel@kempniu.pl \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=miquel.raynal@bootlin.com \
--cc=vigneshr@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.