git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Dan Carpenter <dan.carpenter@linaro.org>
	Tue, 30 Sep 2025 12:32:34 +0000 (15:32 +0300)
committer	Miquel Raynal <miquel.raynal@bootlin.com>
	Wed, 22 Oct 2025 09:53:59 +0000 (11:53 +0200)
commit	e4185bed738da755b191aa3f2e16e8b48450e1b8
tree	e7ed39f0dea06784cd6cf9eaccdfb1f642feae73	tree \| snapshot
parent	3a8660878839faadb4f1a6dd72c3179c1df56787	commit \| diff

mtdchar: fix integer overflow in read/write ioctls

The "req.start" and "req.len" variables are u64 values that come from the
user at the start of the function. We mask away the high 32 bits of
"req.len" so that's capped at U32_MAX but the "req.start" variable can go
up to U64_MAX which means that the addition can still integer overflow.

Use check_add_overflow() to fix this bug.

Fixes: 095bb6e44eb1 ("mtdchar: add MEMREAD ioctl")
Fixes: 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>