mtd: nand_bbt: fix theoretical integer overflow in BBT write
authorBrian Norris <computersforpeace@gmail.com>
Sat, 28 Feb 2015 10:13:13 +0000 (02:13 -0800)
committerBrian Norris <computersforpeace@gmail.com>
Thu, 7 May 2015 03:02:37 +0000 (20:02 -0700)
This statement was written with a cast-to-loff_t to be sure to have a
full 64-bit mask. However, we don't account for the fact that
'1 << this->bbt_erase_shift' might already overflow.

This will not be a problem in practice, since eraseblocks should never
be anywhere near 4GiB. But we can do this for completeness, and quiet
Coverity in the meantime. CID #1226806.

Signed-off-by: Brian Norris <computersforpeace@gmail.com>
drivers/mtd/nand/nand_bbt.c

index 516db2c4524ba74a3e729dc586465c6c70e133de..2c4fa1a170315be748d17db8c904e9bf3e22b020 100644 (file)
@@ -719,7 +719,7 @@ static int write_bbt(struct mtd_info *mtd, uint8_t *buf,
                /* Must we save the block contents? */
                if (td->options & NAND_BBT_SAVECONTENT) {
                        /* Make it block aligned */
-                       to &= ~((loff_t)((1 << this->bbt_erase_shift) - 1));
+                       to &= ~(((loff_t)1 << this->bbt_erase_shift) - 1);
                        len = 1 << this->bbt_erase_shift;
                        res = mtd_read(mtd, to, len, &retlen, buf);
                        if (res < 0) {