diff options
| author |   Petr Tesarik <ptesarik@suse.cz> | 2014-01-30 09:48:02 +0100 |
|---|---|---|
| committer |   Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2014-02-15 11:51:02 -0800 |
| commit | 08d2d00b291ed4eb91530050274e67a761c1901d (patch) | |
| tree | 89099e1078b50ff770f06a86106edc72dc52563f /drivers/char/mem.c | |
| parent | lkdtm: include cacheflush.h (diff) | |
| download | linux-dev-08d2d00b291ed4eb91530050274e67a761c1901d.tar.xz linux-dev-08d2d00b291ed4eb91530050274e67a761c1901d.zip | |
/dev/mem: handle out-of-bounds read/write
The loff_t type may be wider than phys_addr_t (e.g. on 32-bit systems).
Consequently, the file offset may be truncated in the assignment.
Currently, /dev/mem wraps around, which may cause applications to read
or write incorrect regions of memory by accident.
Let's follow POSIX file semantics here and return 0 when reading from
and -EFBIG when writing to an offset that cannot be represented by a
phys_addr_t.
Note that the conditional is optimized out by the compiler if loff_t
has the same size as phys_addr_t.
Signed-off-by: Petr Tesarik <ptesarik@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/char/mem.c')
| -rw-r--r-- | drivers/char/mem.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/char/mem.c b/drivers/char/mem.c index 92c5937f80c3..917403fe10da 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -99,6 +99,9 @@ static ssize_t read_mem(struct file *file, char __user *buf, ssize_t read, sz; char *ptr; + if (p != *ppos) + return 0; + if (!valid_phys_addr_range(p, count)) return -EFAULT; read = 0; @@ -157,6 +160,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, unsigned long copied; void *ptr; + if (p != *ppos) + return -EFBIG; + if (!valid_phys_addr_range(p, count)) return -EFAULT; |