diff options
| author | Deepanshu Kartikey <kartikey406@gmail.com> | 2026-06-21 04:26:25 +0530 |
|---|---|---|
| committer | Miquel Raynal <miquel.raynal@bootlin.com> | 2026-06-29 16:43:51 +0200 |
| commit | a74e31d0a2d52c65d9a6647c87b54bf78c0d9317 (patch) | |
| tree | 41ad0a00a855493caed600fe4e5a891531cccf99 /drivers/mtd | |
| parent | ae9d8058f13238cad5f5d16f676da91187684581 (diff) | |
| download | linux-next-a74e31d0a2d52c65d9a6647c87b54bf78c0d9317.tar.gz linux-next-a74e31d0a2d52c65d9a6647c87b54bf78c0d9317.zip | |
mtd: mtdpart: validate partition bounds in mtd_add_partition()
mtd_add_partition() checks that 'length' is positive but does not
validate that 'offset + length' fits within the parent partition's
size. A userspace caller using the BLKPG_ADD_PARTITION ioctl can
supply a crafted large 'length' value that passes the length <= 0
check, causing add_mtd_device() to fire a WARN_ON() when it detects
the oversized partition.
Fix this by adding explicit bounds checks before allocate_partition()
is called:
- Reject negative or out-of-range offsets.
- Use u64 arithmetic to safely check offset + length <= parent_size,
avoiding potential signed integer overflow.
Reported-by: syzbot+3ae80219c633aca5431c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3ae80219c633aca5431c
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Diffstat (limited to 'drivers/mtd')
| -rw-r--r-- | drivers/mtd/mtdpart.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/mtd/mtdpart.c b/drivers/mtd/mtdpart.c index 7f23f8a1b59c..4b41550fd374 100644 --- a/drivers/mtd/mtdpart.c +++ b/drivers/mtd/mtdpart.c @@ -267,6 +267,11 @@ int mtd_add_partition(struct mtd_info *parent, const char *name, if (length <= 0) return -EINVAL; + if (offset < 0 || offset >= (long long)parent_size) + return -EINVAL; + + if ((u64)offset + (u64)length > parent_size) + return -EINVAL; memset(&part, 0, sizeof(part)); part.name = name; part.size = length; |
