mtd: nand_bbt: fix theoretical integer overflow in BBT write
Linux-MTD Mailing List
linux-mtd at lists.infradead.org
Tue Jun 23 10:59:01 PDT 2015
Gitweb: http://git.infradead.org/?p=mtd-2.6.git;a=commit;h=f5cd2ae1e4ad23bc6527b4a667d3f27534730cc5
Commit: f5cd2ae1e4ad23bc6527b4a667d3f27534730cc5
Parent: 83c59542d0af36d6331e11869cd3d8197dec1551
Author: Brian Norris <computersforpeace at gmail.com>
AuthorDate: Sat Feb 28 02:13:13 2015 -0800
Committer: Brian Norris <computersforpeace at gmail.com>
CommitDate: Wed May 6 20:02:37 2015 -0700
mtd: nand_bbt: fix theoretical integer overflow in BBT write
This statement was written with a cast-to-loff_t to be sure to have a
full 64-bit mask. However, we don't account for the fact that
'1 << this->bbt_erase_shift' might already overflow.
This will not be a problem in practice, since eraseblocks should never
be anywhere near 4GiB. But we can do this for completeness, and quiet
Coverity in the meantime. CID #1226806.
Signed-off-by: Brian Norris <computersforpeace at gmail.com>
---
drivers/mtd/nand/nand_bbt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/nand/nand_bbt.c b/drivers/mtd/nand/nand_bbt.c
index 516db2c..2c4fa1a 100644
--- a/drivers/mtd/nand/nand_bbt.c
+++ b/drivers/mtd/nand/nand_bbt.c
@@ -719,7 +719,7 @@ static int write_bbt(struct mtd_info *mtd, uint8_t *buf,
/* Must we save the block contents? */
if (td->options & NAND_BBT_SAVECONTENT) {
/* Make it block aligned */
- to &= ~((loff_t)((1 << this->bbt_erase_shift) - 1));
+ to &= ~(((loff_t)1 << this->bbt_erase_shift) - 1);
len = 1 << this->bbt_erase_shift;
res = mtd_read(mtd, to, len, &retlen, buf);
if (res < 0) {
More information about the linux-mtd-cvs
mailing list