mtdchar: fix overflows in adjustment of `count`

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The first checks in mtdchar_read() and mtdchar_write() attempt to limit
`count` such that `*ppos + count <= mtd->size`. However, they ignore the
possibility of `*ppos > mtd->size`, allowing the calculation of `count` to
wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the
pread/pwrite syscalls bypass this.

I haven't found any codepath on which this actually causes dangerous
behavior, but it seems like a sensible change anyway.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>

authored by

Jann Horn and committed by

Boris Brezillon 7 years ago 6c6bc9ea 89fd23ef

+7 -3

1 changed file

expand all

drivers

mtd

mtdchar.c

+7 -3

drivers/mtd/mtdchar.c

··· 160 160 161 161 pr_debug("MTD_read\n"); 162 162 163 - if (*ppos + count > mtd->size) 164 - count = mtd->size - *ppos; 163 + if (*ppos + count > mtd->size) { 164 + if (*ppos < mtd->size) 165 + count = mtd->size - *ppos; 166 + else 167 + count = 0; 168 + } 165 169 166 170 if (!count) 167 171 return 0; ··· 250 246 251 247 pr_debug("MTD_write\n"); 252 248 253 - if (*ppos == mtd->size) 249 + if (*ppos >= mtd->size) 254 250 return -ENOSPC; 255 251 256 252 if (*ppos + count > mtd->size)