diff options
author | Jann Horn <jannh@google.com> | 2018-07-07 05:37:22 +0200 |
---|---|---|
committer | Boris Brezillon <boris.brezillon@bootlin.com> | 2018-07-18 16:46:38 +0200 |
commit | 6c6bc9ea84d0008024606bf5ba10519e20d851bf (patch) | |
tree | d8a2b9ee1739402d40438324bb4f825a151f9394 /drivers/mtd/lpddr | |
parent | 89fd23efa0d7934ed9ec93c77486a047759d6543 (diff) | |
download | linux-6c6bc9ea84d0008024606bf5ba10519e20d851bf.tar.bz2 |
mtdchar: fix overflows in adjustment of `count`
The first checks in mtdchar_read() and mtdchar_write() attempt to limit
`count` such that `*ppos + count <= mtd->size`. However, they ignore the
possibility of `*ppos > mtd->size`, allowing the calculation of `count` to
wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the
pread/pwrite syscalls bypass this.
I haven't found any codepath on which this actually causes dangerous
behavior, but it seems like a sensible change anyway.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Diffstat (limited to 'drivers/mtd/lpddr')
0 files changed, 0 insertions, 0 deletions