Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f5cd2ae1 authored by Brian Norris's avatar Brian Norris
Browse files

mtd: nand_bbt: fix theoretical integer overflow in BBT write 



This statement was written with a cast-to-loff_t to be sure to have a
full 64-bit mask. However, we don't account for the fact that
'1 << this->bbt_erase_shift' might already overflow.

This will not be a problem in practice, since eraseblocks should never
be anywhere near 4GiB. But we can do this for completeness, and quiet
Coverity in the meantime. CID #1226806.

Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
parent 83c59542

drivers/mtd/nand/nand_bbt.c

+1 −1
Original line number Diff line number Diff line
@@ -719,7 +719,7 @@ static int write_bbt(struct mtd_info *mtd, uint8_t *buf, 
		/* Must we save the block contents? */

		if (td->options & NAND_BBT_SAVECONTENT) {

			/* Make it block aligned */

			to &= ~((loff_t)((1 << this->bbt_erase_shift) - 1));

			to &= ~(((loff_t)1 << this->bbt_erase_shift) - 1);

			len = 1 << this->bbt_erase_shift;

			res = mtd_read(mtd, to, len, &retlen, buf);

			if (res < 0) {