From 9358bdb9f9f54d94ceafc650deffefd737d19fdd Mon Sep 17 00:00:00 2001 From: Ivan Stepchenko Date: Thu, 19 Jun 2025 17:53:13 +0300 Subject: [PATCH] mtd: fix possible integer overflow in erase_xfer() The expression '1 << EraseUnitSize' is evaluated in int, which causes a negative result when shifting by 31 - the upper bound of the valid range [10, 31], enforced by scan_header(). This leads to incorrect extension when storing the result in 'erase->len' (uint64_t), producing a large unexpected value. Found by Linux Verification Center (linuxtesting.org) with Svace. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Ivan Stepchenko Signed-off-by: Miquel Raynal --- drivers/mtd/ftl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/ftl.c b/drivers/mtd/ftl.c index 8c22064ead387..f2bd1984609cc 100644 --- a/drivers/mtd/ftl.c +++ b/drivers/mtd/ftl.c @@ -344,7 +344,7 @@ static int erase_xfer(partition_t *part, return -ENOMEM; erase->addr = xfer->Offset; - erase->len = 1 << part->header.EraseUnitSize; + erase->len = 1ULL << part->header.EraseUnitSize; ret = mtd_erase(part->mbd.mtd, erase); if (!ret) { -- 2.47.2