Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit a0d2de55 authored by Ivan Stepchenko's avatar Ivan Stepchenko Committed by Greg Kroah-Hartman
Browse files

mtd: fix possible integer overflow in erase_xfer() 



[ Upstream commit 9358bdb9f9f54d94ceafc650deffefd737d19fdd ]

The expression '1 << EraseUnitSize' is evaluated in int, which causes
a negative result when shifting by 31 - the upper bound of the valid
range [10, 31], enforced by scan_header(). This leads to incorrect
extension when storing the result in 'erase->len' (uint64_t), producing
a large unexpected value.

Found by Linux Verification Center (linuxtesting.org) with Svace.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: default avatarIvan Stepchenko <sid@itb.spb.ru>
Signed-off-by: default avatarMiquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent b890f3d8
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment