From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 27 Dec 2024 15:26:57 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: v6.1.123~55
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=85f411db71141baf5fa6a0fcc037cd851c5a3fd4;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	mtd-diskonchip-cast-an-operand-to-prevent-potential-overflow.patch
---

diff --git a/queue-5.4/mtd-diskonchip-cast-an-operand-to-prevent-potential-overflow.patch b/queue-5.4/mtd-diskonchip-cast-an-operand-to-prevent-potential-overflow.patch
new file mode 100644
index 00000000000..f90761042c4
--- /dev/null
+++ b/queue-5.4/mtd-diskonchip-cast-an-operand-to-prevent-potential-overflow.patch
@@ -0,0 +1,34 @@
+From 9b458e8be0d13e81ed03fffa23f8f9b528bbd786 Mon Sep 17 00:00:00 2001
+From: Zichen Xie <zichenxie0106@gmail.com>
+Date: Wed, 23 Oct 2024 16:13:10 -0500
+Subject: mtd: diskonchip: Cast an operand to prevent potential overflow
+
+From: Zichen Xie <zichenxie0106@gmail.com>
+
+commit 9b458e8be0d13e81ed03fffa23f8f9b528bbd786 upstream.
+
+There may be a potential integer overflow issue in inftl_partscan().
+parts[0].size is defined as "uint64_t"  while mtd->erasesize and
+ip->firstUnit are defined as 32-bit unsigned integer. The result of
+the calculation will be limited to 32 bits without correct casting.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Zichen Xie <zichenxie0106@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/diskonchip.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/raw/diskonchip.c
++++ b/drivers/mtd/nand/raw/diskonchip.c
+@@ -1221,7 +1221,7 @@ static inline int __init inftl_partscan(
+ 		    (i == 0) && (ip->firstUnit > 0)) {
+ 			parts[0].name = " DiskOnChip IPL / Media Header partition";
+ 			parts[0].offset = 0;
+-			parts[0].size = mtd->erasesize * ip->firstUnit;
++			parts[0].size = (uint64_t)mtd->erasesize * ip->firstUnit;
+ 			numparts = 1;
+ 		}
+ 
diff --git a/queue-5.4/series b/queue-5.4/series
index 8f8fa05778b..55d5358abbf 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -33,3 +33,4 @@ of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch
 media-dvb-frontends-dib3000mb-fix-uninit-value-in-di.patch
 bpf-check-negative-offsets-in-__bpf_skb_min_len.patch
 nfsd-restore-callback-functionality-for-nfsv4.0.patch
+mtd-diskonchip-cast-an-operand-to-prevent-potential-overflow.patch