drivers/mtd/parsers/redboot.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The value of an arithmetic expression directory * master->erasesize is
subject to overflow due to a failure to cast operands to a larger data
type before perfroming arithmetic
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Denis Arefev <arefev@swemel.ru>
---
drivers/mtd/parsers/redboot.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/parsers/redboot.c b/drivers/mtd/parsers/redboot.c
index a16b42a88581..3b55b676ca6b 100644
--- a/drivers/mtd/parsers/redboot.c
+++ b/drivers/mtd/parsers/redboot.c
@@ -102,7 +102,7 @@ static int parse_redboot_partitions(struct mtd_info *master,
offset -= master->erasesize;
}
} else {
- offset = directory * master->erasesize;
+ offset = (unsigned long) directory * master->erasesize;
while (mtd_block_isbad(master, offset)) {
offset += master->erasesize;
if (offset == master->size)
--
2.25.1On Fri, 2024-03-15 at 09:37:58 UTC, Denis Arefev wrote: > The value of an arithmetic expression directory * master->erasesize is > subject to overflow due to a failure to cast operands to a larger data > type before perfroming arithmetic > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Signed-off-by: Denis Arefev <arefev@swemel.ru> Applied to https://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux.git mtd/next, thanks. Miquel
On Fri, Mar 15, 2024 at 12:37:58PM +0300, Denis Arefev wrote: > The value of an arithmetic expression directory * master->erasesize is > subject to overflow due to a failure to cast operands to a larger data > type before perfroming arithmetic ... > - offset = directory * master->erasesize; > + offset = (unsigned long) directory * master->erasesize; Usage of explicit casting can be avoided by using size_mul() from overflow.h. Usually explicit castings are prone to subtle errors. -- With Best Regards, Andy Shevchenko
© 2016 - 2026 Red Hat, Inc.