diff options
| author | Brian Norris <computersforpeace@gmail.com> | 2014-07-21 22:06:27 -0400 |
|---|---|---|
| committer | Brian Norris <computersforpeace@gmail.com> | 2014-08-19 14:53:07 -0400 |
| commit | 0c2b4e21444d0e274e91fc7db85caddb30988853 (patch) | |
| tree | 32be90002a86d1fe29f1675c1baed664bcf290ff | |
| parent | 36c6a7ac74044b8025488c018279115bb3c32eb0 (diff) | |
mtd: correct upper bounds check for mtd_*() APIs
When checking the upper boundary (i.e., whether an address is higher
than the maximum size of the MTD), we should be doing an inclusive check
(greater or equal). For instance, an address of 16MB (0x1000000) on a
16MB device is invalid.
The strengthening of this bounds check is redundant for those which
already have a address+length check and ensure that the length is
non-zero, but let's just fix them all, for completeness.
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
| -rw-r--r-- | drivers/mtd/mtdcore.c | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c index e4831b4159db..c1015173f2d9 100644 --- a/drivers/mtd/mtdcore.c +++ b/drivers/mtd/mtdcore.c | |||
| @@ -778,7 +778,7 @@ EXPORT_SYMBOL_GPL(__put_mtd_device); | |||
| 778 | */ | 778 | */ |
| 779 | int mtd_erase(struct mtd_info *mtd, struct erase_info *instr) | 779 | int mtd_erase(struct mtd_info *mtd, struct erase_info *instr) |
| 780 | { | 780 | { |
| 781 | if (instr->addr > mtd->size || instr->len > mtd->size - instr->addr) | 781 | if (instr->addr >= mtd->size || instr->len > mtd->size - instr->addr) |
| 782 | return -EINVAL; | 782 | return -EINVAL; |
| 783 | if (!(mtd->flags & MTD_WRITEABLE)) | 783 | if (!(mtd->flags & MTD_WRITEABLE)) |
| 784 | return -EROFS; | 784 | return -EROFS; |
| @@ -804,7 +804,7 @@ int mtd_point(struct mtd_info *mtd, loff_t from, size_t len, size_t *retlen, | |||
| 804 | *phys = 0; | 804 | *phys = 0; |
| 805 | if (!mtd->_point) | 805 | if (!mtd->_point) |
| 806 | return -EOPNOTSUPP; | 806 | return -EOPNOTSUPP; |
| 807 | if (from < 0 || from > mtd->size || len > mtd->size - from) | 807 | if (from < 0 || from >= mtd->size || len > mtd->size - from) |
| 808 | return -EINVAL; | 808 | return -EINVAL; |
| 809 | if (!len) | 809 | if (!len) |
| 810 | return 0; | 810 | return 0; |
| @@ -817,7 +817,7 @@ int mtd_unpoint(struct mtd_info *mtd, loff_t from, size_t len) | |||
| 817 | { | 817 | { |
| 818 | if (!mtd->_point) | 818 | if (!mtd->_point) |
| 819 | return -EOPNOTSUPP; | 819 | return -EOPNOTSUPP; |
| 820 | if (from < 0 || from > mtd->size || len > mtd->size - from) | 820 | if (from < 0 || from >= mtd->size || len > mtd->size - from) |
| 821 | return -EINVAL; | 821 | return -EINVAL; |
| 822 | if (!len) | 822 | if (!len) |
| 823 | return 0; | 823 | return 0; |
| @@ -835,7 +835,7 @@ unsigned long mtd_get_unmapped_area(struct mtd_info *mtd, unsigned long len, | |||
| 835 | { | 835 | { |
| 836 | if (!mtd->_get_unmapped_area) | 836 | if (!mtd->_get_unmapped_area) |
| 837 | return -EOPNOTSUPP; | 837 | return -EOPNOTSUPP; |
| 838 | if (offset > mtd->size || len > mtd->size - offset) | 838 | if (offset >= mtd->size || len > mtd->size - offset) |
| 839 | return -EINVAL; | 839 | return -EINVAL; |
| 840 | return mtd->_get_unmapped_area(mtd, len, offset, flags); | 840 | return mtd->_get_unmapped_area(mtd, len, offset, flags); |
| 841 | } | 841 | } |
| @@ -846,7 +846,7 @@ int mtd_read(struct mtd_info *mtd, loff_t from, size_t len, size_t *retlen, | |||
| 846 | { | 846 | { |
| 847 | int ret_code; | 847 | int ret_code; |
| 848 | *retlen = 0; | 848 | *retlen = 0; |
| 849 | if (from < 0 || from > mtd->size || len > mtd->size - from) | 849 | if (from < 0 || from >= mtd->size || len > mtd->size - from) |
| 850 | return -EINVAL; | 850 | return -EINVAL; |
| 851 | if (!len) | 851 | if (!len) |
| 852 | return 0; | 852 | return 0; |
| @@ -869,7 +869,7 @@ int mtd_write(struct mtd_info *mtd, loff_t to, size_t len, size_t *retlen, | |||
| 869 | const u_char *buf) | 869 | const u_char *buf) |
| 870 | { | 870 | { |
| 871 | *retlen = 0; | 871 | *retlen = 0; |
| 872 | if (to < 0 || to > mtd->size || len > mtd->size - to) | 872 | if (to < 0 || to >= mtd->size || len > mtd->size - to) |
| 873 | return -EINVAL; | 873 | return -EINVAL; |
| 874 | if (!mtd->_write || !(mtd->flags & MTD_WRITEABLE)) | 874 | if (!mtd->_write || !(mtd->flags & MTD_WRITEABLE)) |
| 875 | return -EROFS; | 875 | return -EROFS; |
| @@ -892,7 +892,7 @@ int mtd_panic_write(struct mtd_info *mtd, loff_t to, size_t len, size_t *retlen, | |||
| 892 | *retlen = 0; | 892 | *retlen = 0; |
| 893 | if (!mtd->_panic_write) | 893 | if (!mtd->_panic_write) |
| 894 | return -EOPNOTSUPP; | 894 | return -EOPNOTSUPP; |
| 895 | if (to < 0 || to > mtd->size || len > mtd->size - to) | 895 | if (to < 0 || to >= mtd->size || len > mtd->size - to) |
| 896 | return -EINVAL; | 896 | return -EINVAL; |
| 897 | if (!(mtd->flags & MTD_WRITEABLE)) | 897 | if (!(mtd->flags & MTD_WRITEABLE)) |
| 898 | return -EROFS; | 898 | return -EROFS; |
| @@ -1011,7 +1011,7 @@ int mtd_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len) | |||
| 1011 | { | 1011 | { |
| 1012 | if (!mtd->_lock) | 1012 | if (!mtd->_lock) |
| 1013 | return -EOPNOTSUPP; | 1013 | return -EOPNOTSUPP; |
| 1014 | if (ofs < 0 || ofs > mtd->size || len > mtd->size - ofs) | 1014 | if (ofs < 0 || ofs >= mtd->size || len > mtd->size - ofs) |
| 1015 | return -EINVAL; | 1015 | return -EINVAL; |
| 1016 | if (!len) | 1016 | if (!len) |
| 1017 | return 0; | 1017 | return 0; |
| @@ -1023,7 +1023,7 @@ int mtd_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len) | |||
| 1023 | { | 1023 | { |
| 1024 | if (!mtd->_unlock) | 1024 | if (!mtd->_unlock) |
| 1025 | return -EOPNOTSUPP; | 1025 | return -EOPNOTSUPP; |
| 1026 | if (ofs < 0 || ofs > mtd->size || len > mtd->size - ofs) | 1026 | if (ofs < 0 || ofs >= mtd->size || len > mtd->size - ofs) |
| 1027 | return -EINVAL; | 1027 | return -EINVAL; |
| 1028 | if (!len) | 1028 | if (!len) |
| 1029 | return 0; | 1029 | return 0; |
| @@ -1035,7 +1035,7 @@ int mtd_is_locked(struct mtd_info *mtd, loff_t ofs, uint64_t len) | |||
| 1035 | { | 1035 | { |
| 1036 | if (!mtd->_is_locked) | 1036 | if (!mtd->_is_locked) |
| 1037 | return -EOPNOTSUPP; | 1037 | return -EOPNOTSUPP; |
| 1038 | if (ofs < 0 || ofs > mtd->size || len > mtd->size - ofs) | 1038 | if (ofs < 0 || ofs >= mtd->size || len > mtd->size - ofs) |
| 1039 | return -EINVAL; | 1039 | return -EINVAL; |
| 1040 | if (!len) | 1040 | if (!len) |
| 1041 | return 0; | 1041 | return 0; |
| @@ -1045,7 +1045,7 @@ EXPORT_SYMBOL_GPL(mtd_is_locked); | |||
| 1045 | 1045 | ||
| 1046 | int mtd_block_isreserved(struct mtd_info *mtd, loff_t ofs) | 1046 | int mtd_block_isreserved(struct mtd_info *mtd, loff_t ofs) |
| 1047 | { | 1047 | { |
| 1048 | if (ofs < 0 || ofs > mtd->size) | 1048 | if (ofs < 0 || ofs >= mtd->size) |
| 1049 | return -EINVAL; | 1049 | return -EINVAL; |
| 1050 | if (!mtd->_block_isreserved) | 1050 | if (!mtd->_block_isreserved) |
| 1051 | return 0; | 1051 | return 0; |
| @@ -1055,7 +1055,7 @@ EXPORT_SYMBOL_GPL(mtd_block_isreserved); | |||
| 1055 | 1055 | ||
| 1056 | int mtd_block_isbad(struct mtd_info *mtd, loff_t ofs) | 1056 | int mtd_block_isbad(struct mtd_info *mtd, loff_t ofs) |
| 1057 | { | 1057 | { |
| 1058 | if (ofs < 0 || ofs > mtd->size) | 1058 | if (ofs < 0 || ofs >= mtd->size) |
| 1059 | return -EINVAL; | 1059 | return -EINVAL; |
| 1060 | if (!mtd->_block_isbad) | 1060 | if (!mtd->_block_isbad) |
| 1061 | return 0; | 1061 | return 0; |
| @@ -1067,7 +1067,7 @@ int mtd_block_markbad(struct mtd_info *mtd, loff_t ofs) | |||
| 1067 | { | 1067 | { |
| 1068 | if (!mtd->_block_markbad) | 1068 | if (!mtd->_block_markbad) |
| 1069 | return -EOPNOTSUPP; | 1069 | return -EOPNOTSUPP; |
| 1070 | if (ofs < 0 || ofs > mtd->size) | 1070 | if (ofs < 0 || ofs >= mtd->size) |
| 1071 | return -EINVAL; | 1071 | return -EINVAL; |
| 1072 | if (!(mtd->flags & MTD_WRITEABLE)) | 1072 | if (!(mtd->flags & MTD_WRITEABLE)) |
| 1073 | return -EROFS; | 1073 | return -EROFS; |