Commit 08d2d00b authored Jan 30, 2014 by Petr Tesarik Committed by Greg Kroah-Hartman Feb 15, 2014

/dev/mem: handle out-of-bounds read/write



The loff_t type may be wider than phys_addr_t (e.g. on 32-bit systems).
Consequently, the file offset may be truncated in the assignment.
Currently, /dev/mem wraps around, which may cause applications to read
or write incorrect regions of memory by accident.

Let's follow POSIX file semantics here and return 0 when reading from
and -EFBIG when writing to an offset that cannot be represented by a
phys_addr_t.

Note that the conditional is optimized out by the compiler if loff_t
has the same size as phys_addr_t.

Signed-off-by: Petr Tesarik <ptesarik@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 1bc9fac3

drivers/char/mem.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -99,6 +99,9 @@ static ssize_t read_mem(struct file file, char __user buf,
		ssize_t read, sz;
		char *ptr;

		if (p != *ppos)
		return 0;

		if (!valid_phys_addr_range(p, count))
		return -EFAULT;
		read = 0;
		@@ -157,6 +160,9 @@ static ssize_t write_mem(struct file file, const char __user buf,
		unsigned long copied;
		void *ptr;

		if (p != *ppos)
		return -EFBIG;

		if (!valid_phys_addr_range(p, count))
		return -EFAULT;