From b42dd660bbec5bd71cde8e453548abb25cd0b1a6 Mon Sep 17 00:00:00 2001 From: "xianjun.liu" Date: Tue, 23 Jul 2019 11:14:19 +0800 Subject: [PATCH] MTD: slc-nand: fix signed integer overflow in erase_bootloader [1/1] PD#SWPL-11771 Problem: Hackers can use signed integer erase_boot_num to cause systems crash Solution: replace signed variable with unsigned variables Verify: AXG-S400 Change-Id: I9cc8d8f43c199f48e7d7bff2664bca740681d274 Signed-off-by: xianjun.liu --- drivers/amlogic/mtd/boot.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/amlogic/mtd/boot.c b/drivers/amlogic/mtd/boot.c index 4bc0531d0d98..98b5cf055377 100644 --- a/drivers/amlogic/mtd/boot.c +++ b/drivers/amlogic/mtd/boot.c @@ -664,13 +664,13 @@ WRITE_BAD_BLOCK: /* extra char device for bootloader */ #define AML_CHAR_BOOT_DEV (0) #if (AML_CHAR_BOOT_DEV) -int erase_bootloader(struct mtd_info *mtd, int boot_num) +int erase_bootloader(struct mtd_info *mtd, uint32_t boot_num) { struct nand_chip *chip = mtd->priv; struct aml_nand_chip *aml_chip = mtd_to_nand_chip(mtd); int page, each_boot_pages, boot_copy_num; int pages_per_block; - int start_page, end_page; + uint32_t start_page, end_page; int status; if (aml_chip->bl_mode) @@ -920,8 +920,9 @@ static int boot_ioctl(struct file *file, u_int cmd, u_long arg) struct uboot_file_info *ufi = file->private_data; struct mtd_info *mtd = ufi->mtd; void __user *argp = (void __user *)arg; - int ret = 0, erase_boot_num = 0; + int ret = 0; u_long size; + uint32_t erase_boot_num = 0; pr_debug("boot_ioctl\n"); @@ -1017,7 +1018,7 @@ static long boot_compat_ioctl(struct file *file, uint32_t cmd, } case BOOT_ERASE_INFO32: { - int erase_boot_num; + uint32_t erase_boot_num; if (copy_from_user(&erase_boot_num, argp, sizeof(int))) ret = -EFAULT;