[lvc-project] [PATCH] mtd: fix possible integer overflow in erase_xfer()
Miquel Raynal
miquel.raynal at bootlin.com
Thu Jun 19 20:14:52 MSK 2025
On Thu, 19 Jun 2025 17:53:13 +0300, Ivan Stepchenko wrote:
> The expression '1 << EraseUnitSize' is evaluated in int, which causes
> a negative result when shifting by 31 - the upper bound of the valid
> range [10, 31], enforced by scan_header(). This leads to incorrect
> extension when storing the result in 'erase->len' (uint64_t), producing
> a large unexpected value.
>
> Found by Linux Verification Center (linuxtesting.org) with Svace.
>
> [...]
Applied to mtd/next, thanks!
[1/1] mtd: fix possible integer overflow in erase_xfer()
commit: 9358bdb9f9f54d94ceafc650deffefd737d19fdd
Patche(s) should be available on mtd/linux.git and will be
part of the next PR (provided that no robot complains by then).
Kind regards,
Miquèl
More information about the lvc-project
mailing list