• Jann Horn's avatar
    mtdchar: fix overflows in adjustment of `count` · 6c6bc9ea
    Jann Horn authored
    The first checks in mtdchar_read() and mtdchar_write() attempt to limit
    `count` such that `*ppos + count <= mtd->size`. However, they ignore the
    possibility of `*ppos > mtd->size`, allowing the calculation of `count` to
    wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the
    pread/pwrite syscalls bypass this.
    I haven't found any codepath on which this actually causes dangerous
    behavior, but it seems like a sensible change anyway.
    Fixes: 1da177e4 ("Linux-2.6.12-rc2")
    Signed-off-by: default avatarJann Horn <jannh@google.com>
    Signed-off-by: default avatarBoris Brezillon <boris.brezillon@bootlin.com>
mtdchar.c 25.7 KB