/dev/mem: handle out-of-bounds read/write

The loff_t type may be wider than phys_addr_t (e.g. on 32-bit systems).
Consequently, the file offset may be truncated in the assignment.
Currently, /dev/mem wraps around, which may cause applications to read
or write incorrect regions of memory by accident.

Let's follow POSIX file semantics here and return 0 when reading from
and -EFBIG when writing to an offset that cannot be represented by a
phys_addr_t.

Note that the conditional is optimized out by the compiler if loff_t
has the same size as phys_addr_t.

Signed-off-by: Petr Tesarik <ptesarik@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 92c5937f80c33acac907dccb2377b6157721b33c..917403fe10da3eb62c0548bb29a2f0d898c8400a 100644 (file)
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -99,6 +99,9 @@ static ssize_t read_mem(struct file *file, char __user *buf,
        ssize_t read, sz;
        char *ptr;
 
+       if (p != *ppos)
+               return 0;
+
        if (!valid_phys_addr_range(p, count))
                return -EFAULT;
        read = 0;
@@ -157,6 +160,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
        unsigned long copied;
        void *ptr;
 
+       if (p != *ppos)
+               return -EFBIG;
+
        if (!valid_phys_addr_range(p, count))
                return -EFAULT;