Forwarded: [PATCH] mtd: mtdpart: validate partition bounds in mtd_add_partition()
From: syzbot
Date: Sat Jun 20 2026 - 09:05:21 EST
For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.
***
Subject: [PATCH] mtd: mtdpart: validate partition bounds in mtd_add_partition()
Author: kartikey406@xxxxxxxxx
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
mtd_add_partition() checks that 'length' is positive but does not
validate that 'offset + length' fits within the parent partition's
size. A userspace caller using the BLKPG_ADD_PARTITION ioctl can
supply a crafted large 'length' value that passes the length <= 0
check, causing add_mtd_device() to fire a WARN_ON() when it detects
the oversized partition.
Fix this by adding explicit bounds checks before allocate_partition()
is called:
- Reject negative or out-of-range offsets.
- Use u64 arithmetic to safely check offset + length <= parent_size,
avoiding potential signed integer overflow.
Reported-by: syzbot+3ae80219c633aca5431c@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=3ae80219c633aca5431c
Signed-off-by: Deepanshu Kartikey <kartikey406@xxxxxxxxx>
---
drivers/mtd/mtdpart.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/mtd/mtdpart.c b/drivers/mtd/mtdpart.c
index 795a94e6b482..1a0e2207e440 100644
--- a/drivers/mtd/mtdpart.c
+++ b/drivers/mtd/mtdpart.c
@@ -264,6 +264,11 @@ int mtd_add_partition(struct mtd_info *parent, const char *name,
if (length <= 0)
return -EINVAL;
+ if (offset < 0 || offset >= (long long)parent_size)
+ return -EINVAL;
+
+ if ((u64)offset + (u64)length > parent_size)
+ return -EINVAL;
memset(&part, 0, sizeof(part));
part.name = name;
part.size = length;
--
2.43.0