diff options
| author | Jann Horn <jannh@google.com> | 2018-07-07 05:37:22 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-09-26 08:36:37 +0200 |
| commit | 23bd97eaebc55d5eef9d3cd41e3bd6189a0e9dd6 (patch) | |
| tree | af5e5f79e3889d6e494b3e72bc0aa7740560812a /security | |
| parent | 4fe4e6d65f97cc428748fa1f75b747d51d676bf9 (diff) | |
mtdchar: fix overflows in adjustment of `count`
[ Upstream commit 6c6bc9ea84d0008024606bf5ba10519e20d851bf ]
The first checks in mtdchar_read() and mtdchar_write() attempt to limit
`count` such that `*ppos + count <= mtd->size`. However, they ignore the
possibility of `*ppos > mtd->size`, allowing the calculation of `count` to
wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the
pread/pwrite syscalls bypass this.
I haven't found any codepath on which this actually causes dangerous
behavior, but it seems like a sensible change anyway.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'security')
0 files changed, 0 insertions, 0 deletions