[PATCH] mtd: nand: bbt: clamp GENMASK high bit to word boundary
Miquel Raynal
miquel.raynal at bootlin.com
Mon Apr 13 01:12:10 PDT 2026
Hi Daniel,
On 12/04/2026 at 01:05:23 +01, Daniel Golle <daniel at makrotopia.org> wrote:
> When a BBT entry straddles an unsigned long boundary, the GENMASK in
> nanddev_bbt_set_block_status() can potentially overflow because
> offs + bits_per_block - 1 can theoretically exceed BITS_PER_LONG - 1.
> Clamp the high bit so only bits within the current word are masked.
> The cross-word portion is already handled by the pos[1] block below.
>
> Discovered by UBSAN: shift-out-of-bounds in
> drivers/mtd/nand/bbt.c:116:13
> shift exponent 18446744073709551614 is too large for 64-bit type
> 'long unsigned int'
How likely is that? It doesn't matter how many bits you use per blocks
(today is 2), it would require a NAND chip that covers an entire country
to reach that number of blocks. If an attacker plays with that value,
does it really matter? Apart from writing out of bounds -which is
physically impossible, we are not talking about virtual memory here- and
get an error later on, I do not see a good reason for this.
Honestly, I find the final result much less readable than before for no
obvious added value IMO. But maybe I am looking at this the wrong way?
Thanks,
Miquèl
More information about the linux-mtd
mailing list