Re: [PATCH v2 resend] mtdchar: fix integer overflow in read/write ioctls

Next message: Miquel Raynal: "Re: [PATCH next] mtd: nand: realtek-ecc: Fix a IS_ERR() vs NULL bug in probe"
Previous message: Philipp Stanner: "Re: [PATCH] ALSA: maestro3: using vmalloc_array() to handle the code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Miquel Raynal

Date: Wed Oct 22 2025 - 05:56:53 EST

On Tue, 30 Sep 2025 15:32:34 +0300, Dan Carpenter wrote:
> The "req.start" and "req.len" variables are u64 values that come from the
> user at the start of the function. We mask away the high 32 bits of
> "req.len" so that's capped at U32_MAX but the "req.start" variable can go
> up to U64_MAX which means that the addition can still integer overflow.
>
> Use check_add_overflow() to fix this bug.
>
> [...]

Applied to mtd/fixes, thanks!

[1/1] mtdchar: fix integer overflow in read/write ioctls
commit: e4185bed738da755b191aa3f2e16e8b48450e1b8

Patche(s) should be available on mtd/linux.git and will be
part of the next PR (provided that no robot complains by then).

Kind regards,
Miquèl