Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
mtd: mtdpart: disallow reading OOB past the end of the partition
This patch fixes the mtdpart bug which allows users reading OOB past the end of the partition. This happens because 'part_read_oob()' allows reading multiple OOB areas in one go, and mtdparts does not validate the OOB length in the request. Although there is such check in 'nand_do_read_oob()' in nand_base.c, but it checks that we do not read past the flash chip, not the partition, because in nand_base.c we work with the whole chip (e.g., mtd->size in nand_base.c is the size of the whole chip). So this check cannot be done correctly in nand_base.c and should be instead done in mtdparts.c. This problem was reported by Jason Liu <[email protected]> and reproduced with nandsim: $ modprobe nandsim first_id_byte=0x20 second_id_byte=0xaa third_id_byte=0x00 \ fourth_id_byte=0x15 parts=0x400,0x400 $ modprobe nandsim mtd_oobtest.ko dev=0 $ dmesg = snip = mtd_oobtest: attempting to read past end of device mtd_oobtest: an error is expected... mtd_oobtest: error: read past end of device = snip = mtd_oobtest: finished with 2 errors Reported-by: Jason Liu <[email protected]> Signed-off-by: Artem Bityutskiy <[email protected]> Signed-off-by: David Woodhouse <[email protected]>
- Loading branch information