----- Ursprüngliche Mail -----
Von: "Pavel Machek" pavel@denx.de
When doing a "write" ioctl call, properly check that we have permissions to do so before copying anything from userspace or anything else so we can "fail fast". This includes also covering the MEMWRITE ioctl which previously missed checking for this.
- /* "safe" commands */
- case MEMGETREGIONCOUNT:
I wonder if MEMSETBADBLOCK, MEMLOCK/MEMUNLOCK, BLKPG, OTPLOCK and MTDFILEMODE should be in the list of "safe" commands? Sounds like they can do at least as much damage as average MEMWRITE...
Most of the ioctls you listed are not write-exclusive because existing user space applications (such as mtd-utils) issue them on a read-only fd. So, we didn't want to break them. Before we move such an ioctl to the "non-safe" list, common user space needs to be inspected. This includes, android, openwrt, mtd-utils, etc...
On the other hand, this is a raw mtd, it is hard to draw the line. For NAND even reading allows an attacker doing harm, she can trigger read-distrurb super efficiently using the read ioctl...
So passing an mtdchar fd (no matter whether read or write mode) to untrusted entities is a bad idea.
Thanks, //richard