Message ID | 20240315093758.20790-1-arefev@swemel.ru |
---|---|
State | Accepted |
Headers | show |
Series | mtd: partitions: redboot: Added conversion of operands to a larger type | expand |
On Fri, 2024-03-15 at 09:37:58 UTC, Denis Arefev wrote: > The value of an arithmetic expression directory * master->erasesize is > subject to overflow due to a failure to cast operands to a larger data > type before perfroming arithmetic > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Signed-off-by: Denis Arefev <arefev@swemel.ru> Applied to https://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux.git mtd/next, thanks. Miquel
On Fri, Mar 15, 2024 at 12:37:58PM +0300, Denis Arefev wrote: > The value of an arithmetic expression directory * master->erasesize is > subject to overflow due to a failure to cast operands to a larger data > type before perfroming arithmetic ... > - offset = directory * master->erasesize; > + offset = (unsigned long) directory * master->erasesize; Usage of explicit casting can be avoided by using size_mul() from overflow.h. Usually explicit castings are prone to subtle errors.
diff --git a/drivers/mtd/parsers/redboot.c b/drivers/mtd/parsers/redboot.c index a16b42a88581..3b55b676ca6b 100644 --- a/drivers/mtd/parsers/redboot.c +++ b/drivers/mtd/parsers/redboot.c @@ -102,7 +102,7 @@ static int parse_redboot_partitions(struct mtd_info *master, offset -= master->erasesize; } } else { - offset = directory * master->erasesize; + offset = (unsigned long) directory * master->erasesize; while (mtd_block_isbad(master, offset)) { offset += master->erasesize; if (offset == master->size)
The value of an arithmetic expression directory * master->erasesize is subject to overflow due to a failure to cast operands to a larger data type before perfroming arithmetic Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Denis Arefev <arefev@swemel.ru> --- drivers/mtd/parsers/redboot.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)