summaryrefslogtreecommitdiff
path: root/drivers/mtd
diff options
context:
space:
mode:
authorDeepanshu Kartikey <kartikey406@gmail.com>2026-06-21 04:26:25 +0530
committerMiquel Raynal <miquel.raynal@bootlin.com>2026-06-29 16:43:51 +0200
commita74e31d0a2d52c65d9a6647c87b54bf78c0d9317 (patch)
tree41ad0a00a855493caed600fe4e5a891531cccf99 /drivers/mtd
parentae9d8058f13238cad5f5d16f676da91187684581 (diff)
downloadlinux-next-a74e31d0a2d52c65d9a6647c87b54bf78c0d9317.tar.gz
linux-next-a74e31d0a2d52c65d9a6647c87b54bf78c0d9317.zip
mtd: mtdpart: validate partition bounds in mtd_add_partition()
mtd_add_partition() checks that 'length' is positive but does not validate that 'offset + length' fits within the parent partition's size. A userspace caller using the BLKPG_ADD_PARTITION ioctl can supply a crafted large 'length' value that passes the length <= 0 check, causing add_mtd_device() to fire a WARN_ON() when it detects the oversized partition. Fix this by adding explicit bounds checks before allocate_partition() is called: - Reject negative or out-of-range offsets. - Use u64 arithmetic to safely check offset + length <= parent_size, avoiding potential signed integer overflow. Reported-by: syzbot+3ae80219c633aca5431c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3ae80219c633aca5431c Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Diffstat (limited to 'drivers/mtd')
-rw-r--r--drivers/mtd/mtdpart.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/mtd/mtdpart.c b/drivers/mtd/mtdpart.c
index 7f23f8a1b59c..4b41550fd374 100644
--- a/drivers/mtd/mtdpart.c
+++ b/drivers/mtd/mtdpart.c
@@ -267,6 +267,11 @@ int mtd_add_partition(struct mtd_info *parent, const char *name,
if (length <= 0)
return -EINVAL;
+ if (offset < 0 || offset >= (long long)parent_size)
+ return -EINVAL;
+
+ if ((u64)offset + (u64)length > parent_size)
+ return -EINVAL;
memset(&part, 0, sizeof(part));
part.name = name;
part.size = length;