From a74e31d0a2d52c65d9a6647c87b54bf78c0d9317 Mon Sep 17 00:00:00 2001 From: Deepanshu Kartikey Date: Sun, 21 Jun 2026 04:26:25 +0530 Subject: mtd: mtdpart: validate partition bounds in mtd_add_partition() mtd_add_partition() checks that 'length' is positive but does not validate that 'offset + length' fits within the parent partition's size. A userspace caller using the BLKPG_ADD_PARTITION ioctl can supply a crafted large 'length' value that passes the length <= 0 check, causing add_mtd_device() to fire a WARN_ON() when it detects the oversized partition. Fix this by adding explicit bounds checks before allocate_partition() is called: - Reject negative or out-of-range offsets. - Use u64 arithmetic to safely check offset + length <= parent_size, avoiding potential signed integer overflow. Reported-by: syzbot+3ae80219c633aca5431c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3ae80219c633aca5431c Signed-off-by: Deepanshu Kartikey Signed-off-by: Miquel Raynal --- drivers/mtd/mtdpart.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'drivers/mtd') diff --git a/drivers/mtd/mtdpart.c b/drivers/mtd/mtdpart.c index 7f23f8a1b59c..4b41550fd374 100644 --- a/drivers/mtd/mtdpart.c +++ b/drivers/mtd/mtdpart.c @@ -267,6 +267,11 @@ int mtd_add_partition(struct mtd_info *parent, const char *name, if (length <= 0) return -EINVAL; + if (offset < 0 || offset >= (long long)parent_size) + return -EINVAL; + + if ((u64)offset + (u64)length > parent_size) + return -EINVAL; memset(&part, 0, sizeof(part)); part.name = name; part.size = length; -- cgit v1.2.3