redonkable
/
remarkable-linux
1
0
Fork 0
Code Releases Activity
remarkable-linux/drivers/mtd
History
Jann Horn b888dba2e8 mtdchar: fix overflows in adjustment of `count` 
[ Upstream commit 6c6bc9ea84 ]

The first checks in mtdchar_read() and mtdchar_write() attempt to limit
`count` such that `*ppos + count <= mtd->size`. However, they ignore the
possibility of `*ppos > mtd->size`, allowing the calculation of `count` to
wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the
pread/pwrite syscalls bypass this.

I haven't found any codepath on which this actually causes dangerous
behavior, but it seems like a sensible change anyway.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2018-09-26 08:38:09 +02:00
..
chips mtd: cfi_cmdset_0002: Change erase functions to check chip good only 2018-07-11 16:29:23 +02:00
devices mtd: dataflash: Use ULL suffix for 64-bit constants 2018-08-24 13:09:04 +02:00
lpddr mtd: lpddr: show parent device in sysfs 2015-10-13 09:21:17 -07:00
maps mtd/maps: fix solutionengine.c printk format warnings 2018-09-26 08:38:00 +02:00
nand mtd: nand: qcom: Add a NULL check for devm_kasprintf() 2018-08-15 18:12:48 +02:00
onenand License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
parsers mtd: parsers: trx: fix pr_err format for printing offset 2017-06-23 10:47:54 -07:00
spi-nor mtd: spi-nor: cadence-quadspi: Fix page fault kernel panic 2018-05-01 12:58:18 -07:00
tests mtd: mtd_oobtest: Handle bitflips during reads 2018-04-12 12:32:20 +02:00
ubi mtd: ubi: wl: Fix error return code in ubi_wl_init() 2018-09-19 22:43:48 +02:00
Kconfig mtd: extract TRX parser out of bcm47xxpart into a separated module 2017-06-22 13:13:10 -07:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
afs.c mtd: partitions: make parsers return 'const' partition arrays 2015-12-09 10:21:57 -08:00
ar7part.c mtd: partitions: make parsers return 'const' partition arrays 2015-12-09 10:21:57 -08:00
bcm47xxpart.c mtd: extract TRX parser out of bcm47xxpart into a separated module 2017-06-22 13:13:10 -07:00
bcm63xxpart.c mtd: bcm63xxpart: give width specifier an 'int', not 'size_t' 2016-03-07 13:13:58 -08:00
cmdlinepart.c mtd: partitions: make parsers return 'const' partition arrays 2015-12-09 10:21:57 -08:00
ftl.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
inftlcore.c mtd: nand: Rename nand.h into rawnand.h 2017-08-13 10:11:49 +02:00
inftlmount.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
mtd_blkdevs.c mtd: blkdevs: Fix mtd block write failure 2017-08-12 14:53:24 -07:00
mtdblock.c mtd: mtdblock: remove the needless mtdblks_lock 2015-01-07 12:51:56 -08:00
mtdblock_ro.c
mtdchar.c mtdchar: fix overflows in adjustment of `count` 2018-09-26 08:38:09 +02:00
mtdconcat.c mtd: create an mtd_ooblayout_ops struct to ease ECC layout definition 2016-04-19 22:05:55 +02:00
mtdcore.c mtd: make device_type const 2017-08-21 14:33:50 +02:00
mtdcore.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mtdoops.c
mtdpart.c mtd: Fix partition alignment check on multi-erasesize devices 2017-09-27 13:53:20 +02:00
mtdsuper.c fs: Remove SB_I_DYNBDI flag 2017-04-20 12:09:55 -06:00
mtdswap.c mtd: mtdswap: remove unused variables 'dev' and 'gd' 2017-07-24 17:04:33 -07:00
nftlcore.c mtd: nand: Rename nand.h into rawnand.h 2017-08-13 10:11:49 +02:00
nftlmount.c mtd: nand: Rename nand.h into rawnand.h 2017-08-13 10:11:49 +02:00
ofpart.c mtd: Convert to using %pOF instead of full_name 2017-08-15 14:00:43 +02:00
redboot.c mtd: partitions: make parsers return 'const' partition arrays 2015-12-09 10:21:57 -08:00
rfd_ftl.c
sm_ftl.c treewide: Fix typos in printk 2016-04-18 11:23:24 +02:00
sm_ftl.h
ssfdc.c mtd: nand: Rename nand.h into rawnand.h 2017-08-13 10:11:49 +02:00