--- /dev/null
+From 9b458e8be0d13e81ed03fffa23f8f9b528bbd786 Mon Sep 17 00:00:00 2001
+From: Zichen Xie <zichenxie0106@gmail.com>
+Date: Wed, 23 Oct 2024 16:13:10 -0500
+Subject: mtd: diskonchip: Cast an operand to prevent potential overflow
+
+From: Zichen Xie <zichenxie0106@gmail.com>
+
+commit 9b458e8be0d13e81ed03fffa23f8f9b528bbd786 upstream.
+
+There may be a potential integer overflow issue in inftl_partscan().
+parts[0].size is defined as "uint64_t" while mtd->erasesize and
+ip->firstUnit are defined as 32-bit unsigned integer. The result of
+the calculation will be limited to 32 bits without correct casting.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Zichen Xie <zichenxie0106@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/diskonchip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/raw/diskonchip.c
++++ b/drivers/mtd/nand/raw/diskonchip.c
+@@ -1098,7 +1098,7 @@ static inline int __init inftl_partscan(
+ (i == 0) && (ip->firstUnit > 0)) {
+ parts[0].name = " DiskOnChip IPL / Media Header partition";
+ parts[0].offset = 0;
+- parts[0].size = mtd->erasesize * ip->firstUnit;
++ parts[0].size = (uint64_t)mtd->erasesize * ip->firstUnit;
+ numparts = 1;
+ }
+
tcp_bpf-add-sk_rmem_alloc-related-logic-for-tcp_bpf-.patch
bpf-check-negative-offsets-in-__bpf_skb_min_len.patch
nfsd-restore-callback-functionality-for-nfsv4.0.patch
+mtd-diskonchip-cast-an-operand-to-prevent-potential-overflow.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
