mtd: nand_bbt: fix theoretical integer overflow in BBT write

Linux-MTD Mailing List linux-mtd at lists.infradead.org
Tue Jun 23 10:59:01 PDT 2015


Gitweb:     http://git.infradead.org/?p=mtd-2.6.git;a=commit;h=f5cd2ae1e4ad23bc6527b4a667d3f27534730cc5
Commit:     f5cd2ae1e4ad23bc6527b4a667d3f27534730cc5
Parent:     83c59542d0af36d6331e11869cd3d8197dec1551
Author:     Brian Norris <computersforpeace at gmail.com>
AuthorDate: Sat Feb 28 02:13:13 2015 -0800
Committer:  Brian Norris <computersforpeace at gmail.com>
CommitDate: Wed May 6 20:02:37 2015 -0700

    mtd: nand_bbt: fix theoretical integer overflow in BBT write
    
    This statement was written with a cast-to-loff_t to be sure to have a
    full 64-bit mask. However, we don't account for the fact that
    '1 << this->bbt_erase_shift' might already overflow.
    
    This will not be a problem in practice, since eraseblocks should never
    be anywhere near 4GiB. But we can do this for completeness, and quiet
    Coverity in the meantime. CID #1226806.
    
    Signed-off-by: Brian Norris <computersforpeace at gmail.com>
---
 drivers/mtd/nand/nand_bbt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mtd/nand/nand_bbt.c b/drivers/mtd/nand/nand_bbt.c
index 516db2c..2c4fa1a 100644
--- a/drivers/mtd/nand/nand_bbt.c
+++ b/drivers/mtd/nand/nand_bbt.c
@@ -719,7 +719,7 @@ static int write_bbt(struct mtd_info *mtd, uint8_t *buf,
 		/* Must we save the block contents? */
 		if (td->options & NAND_BBT_SAVECONTENT) {
 			/* Make it block aligned */
-			to &= ~((loff_t)((1 << this->bbt_erase_shift) - 1));
+			to &= ~(((loff_t)1 << this->bbt_erase_shift) - 1);
 			len = 1 << this->bbt_erase_shift;
 			res = mtd_read(mtd, to, len, &retlen, buf);
 			if (res < 0) {



More information about the linux-mtd-cvs mailing list