diff options
| author | Jann Horn <jannh@google.com> | 2018-07-07 05:37:22 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-09-26 08:38:09 +0200 |
| commit | b888dba2e81d2b20d4896dcdebefb7e6d7e9697d (patch) | |
| tree | 644ca401b46a70f98b6078a641d5a48367437503 /fs/namespace.c | |
| parent | 67e522a76d99a0035150b4640295aab2c573d455 (diff) | |
| download | linux-stable-b888dba2e81d2b20d4896dcdebefb7e6d7e9697d.tar.gz linux-stable-b888dba2e81d2b20d4896dcdebefb7e6d7e9697d.tar.bz2 linux-stable-b888dba2e81d2b20d4896dcdebefb7e6d7e9697d.zip | |
mtdchar: fix overflows in adjustment of `count`
[ Upstream commit 6c6bc9ea84d0008024606bf5ba10519e20d851bf ]
The first checks in mtdchar_read() and mtdchar_write() attempt to limit
`count` such that `*ppos + count <= mtd->size`. However, they ignore the
possibility of `*ppos > mtd->size`, allowing the calculation of `count` to
wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the
pread/pwrite syscalls bypass this.
I haven't found any codepath on which this actually causes dangerous
behavior, but it seems like a sensible change anyway.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/namespace.c')
0 files changed, 0 insertions, 0 deletions