diff options
| author |   Ivan Stepchenko <sid@itb.spb.ru> | 2025-06-19 17:53:13 +0300 |
|---|---|---|
| committer |   Miquel Raynal <miquel.raynal@bootlin.com> | 2025-06-19 19:14:46 +0200 |
| commit | 9358bdb9f9f54d94ceafc650deffefd737d19fdd (patch) | |
| tree | ca6c3a8cb2de86dff56b442ac8c6529bdac919d3 | |
| parent | mtd: nftl: reduce stack usage in NFTL_movebuf() (diff) | |
| download | wireguard-linux-9358bdb9f9f54d94ceafc650deffefd737d19fdd.tar.xz wireguard-linux-9358bdb9f9f54d94ceafc650deffefd737d19fdd.zip | |
mtd: fix possible integer overflow in erase_xfer()
The expression '1 << EraseUnitSize' is evaluated in int, which causes
a negative result when shifting by 31 - the upper bound of the valid
range [10, 31], enforced by scan_header(). This leads to incorrect
extension when storing the result in 'erase->len' (uint64_t), producing
a large unexpected value.
Found by Linux Verification Center (linuxtesting.org) with Svace.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Ivan Stepchenko <sid@itb.spb.ru>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
| -rw-r--r-- | drivers/mtd/ftl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/mtd/ftl.c b/drivers/mtd/ftl.c index 8c22064ead38..f2bd1984609c 100644 --- a/drivers/mtd/ftl.c +++ b/drivers/mtd/ftl.c @@ -344,7 +344,7 @@ static int erase_xfer(partition_t *part, return -ENOMEM; erase->addr = xfer->Offset; - erase->len = 1 << part->header.EraseUnitSize; + erase->len = 1ULL << part->header.EraseUnitSize; ret = mtd_erase(part->mbd.mtd, erase); if (!ret) { |