Date:   Fri, 3 Feb 2023 23:18:21 +0300
From:   Karina Yankevich <k.yankevich@....ru>
To:     Alan Stern <stern@...land.harvard.edu>
CC:     Karina Yankevich <k.yankevich@....ru>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        <linux-usb@...r.kernel.org>,
        <usb-storage@...ts.one-eyed-alien.net>,
        <linux-kernel@...r.kernel.org>, <lvc-project@...uxtesting.org>
Subject: [PATCH] usb: storage: sddr55: avoid integer overflow

We're possibly losing information by shifting an int.
Fix it by adding the necessary cast.

Found by OMP on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Karina Yankevich <k.yankevich@....ru>
---
 drivers/usb/storage/sddr55.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/storage/sddr55.c b/drivers/usb/storage/sddr55.c
index 15dc25801cdc..4aeff73de147 100644
--- a/drivers/usb/storage/sddr55.c
+++ b/drivers/usb/storage/sddr55.c
@@ -236,7 +236,7 @@ static int sddr55_read_data(struct us_data *us,
 			memset (buffer, 0, len);
 		} else {
 
-			address = (pba << info->blockshift) + page;
+			address = ((unsigned long)pba << info->blockshift) + page;
 
 			command[0] = 0;
 			command[1] = LSB_of(address>>16);
@@ -411,7 +411,7 @@ static int sddr55_write_data(struct us_data *us,
 			command[4] = 0x40;
 		}
 
-		address = (pba << info->blockshift) + page;
+		address = ((unsigned long)pba << info->blockshift) + page;
 
 		command[1] = LSB_of(address>>16);
 		command[2] = LSB_of(address>>8); 
-- 
2.39.1

Powered by blists - more mailing lists