libnvdimm/pmem: fix a possible OOB access when read and write pmem

If offset is not zero and length is bigger than PAGE_SIZE, this will cause to out of boundary access to a page memory Fixes: 98cc093 ("block, THP: make block_device_operations.rw_page support THP") Co-developed-by: Liang ZhiCheng <[email protected]> Signed-off-by: Liang ZhiCheng <[email protected]> Signed-off-by: Li RongQing <[email protected]> Reviewed-by: Ira Weiny <[email protected]> Reviewed-by: Jeff Moyer <[email protected]> Signed-off-by: Dan Williams <[email protected]>
kmaincent · Apr 7, 2019 · 9dc6488 · 9dc6488
1 parent d2e5b64
commit 9dc6488
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/drivers/nvdimm/pmem.c b/drivers/nvdimm/pmem.c
@@ -113,13 +113,13 @@ static void write_pmem(void *pmem_addr, struct page *page,
 
 	while (len) {
 		mem = kmap_atomic(page);
-		chunk = min_t(unsigned int, len, PAGE_SIZE);
+		chunk = min_t(unsigned int, len, PAGE_SIZE - off);
 		memcpy_flushcache(pmem_addr, mem + off, chunk);
 		kunmap_atomic(mem);
 		len -= chunk;
 		off = 0;
 		page++;
-		pmem_addr += PAGE_SIZE;
+		pmem_addr += chunk;
 	}
 }
 
@@ -132,15 +132,15 @@ static blk_status_t read_pmem(struct page *page, unsigned int off,
 
 	while (len) {
 		mem = kmap_atomic(page);
-		chunk = min_t(unsigned int, len, PAGE_SIZE);
+		chunk = min_t(unsigned int, len, PAGE_SIZE - off);
 		rem = memcpy_mcsafe(mem + off, pmem_addr, chunk);
 		kunmap_atomic(mem);
 		if (rem)
 			return BLK_STS_IOERR;
 		len -= chunk;
 		off = 0;
 		page++;
-		pmem_addr += PAGE_SIZE;
+		pmem_addr += chunk;
 	}
 	return BLK_STS_OK;
 }