Re: [PATCH v2 resend] mtdchar: fix integer overflow in read/write ioctls

Next message: Nicolas Dufresne: "Re: [PATCH v2 12/27] media: v4l2-subdev: Introduce v4l2 subdev context"
Previous message: Peter Zijlstra: "Re: [PATCH] sched/fair: Fix DELAY_DEQUEUE issue related to cgroup throttling"
In reply to: Dan Carpenter: "[PATCH v2 resend] mtdchar: fix integer overflow in read/write ioctls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Miquel Raynal

Date: Tue Sep 30 2025 - 08:57:44 EST

Hi Dan,

On 30/09/2025 at 15:32:34 +03, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:

> The "req.start" and "req.len" variables are u64 values that come from the
> user at the start of the function. We mask away the high 32 bits of
> "req.len" so that's capped at U32_MAX but the "req.start" variable can go
> up to U64_MAX which means that the addition can still integer overflow.
>
> Use check_add_overflow() to fix this bug.
>
> Fixes: 095bb6e44eb1 ("mtdchar: add MEMREAD ioctl")
> Fixes: 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> v2: fix the tags.
> RESEND: I sent this last year but it wasn't applied.
> https://lore.kernel.org/all/Z1ax3K3-zSJExPNV@stanley.mountain/

I don't know why, perhaps it got filtered as SPAM, I don't know, but I'm
sorry about that.

I've just "closed" next, so I'll queue this in a fixes PR on top of
v5.18-rc1.

Thanks,
Miquèl