diff mbox series

[v2] scsi: use unsigned int variables to parse partition table

Message ID 20241114121026.1951543-1-quic_xiaosenh@quicinc.com
State Superseded
Headers show
Series [v2] scsi: use unsigned int variables to parse partition table | expand

Commit Message

Xiaosen He Nov. 14, 2024, 12:10 p.m. UTC 
signed integer overflow happened in the following multiplication,
ext_cyl*(end_head+1)*end_sector = 0x41040*(0xff+1)*0x3f = 0xffffc000,
the overflow was caught by UBSAN and caused crash to the system,
use unsigned int instead of signed int to avoid integer overflow.

Signed-off-by: Xiaosen He <quic_xiaosenh@quicinc.com>
Signed-off-by: Jian Zhou <quic_jianzhou@quicinc.com>
---
 drivers/scsi/scsicam.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)
diff mbox series

Patch

diff --git a/drivers/scsi/scsicam.c b/drivers/scsi/scsicam.c
index 910f4a7a3924..df33b2a147f8 100644
--- a/drivers/scsi/scsicam.c
+++ b/drivers/scsi/scsicam.c
@@ -126,13 +126,14 @@  int scsi_partsize(unsigned char *buf, unsigned long capacity,
 	       unsigned int *cyls, unsigned int *hds, unsigned int *secs)
 {
 	struct partition *p = (struct partition *)buf, *largest = NULL;
-	int i, largest_cyl;
-	int cyl, ext_cyl, end_head, end_cyl, end_sector;
+	int i;
+	unsigned int largest_cyl = UINT_MAX;
+	unsigned int cyl, ext_cyl, end_head, end_cyl, end_sector;
 	unsigned int logical_end, physical_end, ext_physical_end;
 
 
 	if (*(unsigned short *) (buf + 64) == 0xAA55) {
-		for (largest_cyl = -1, i = 0; i < 4; ++i, ++p) {
+		for (i = 0; i < 4; ++i, ++p) {
 			if (!p->sys_ind)
 				continue;
 #ifdef DEBUG
@@ -140,7 +141,7 @@  int scsi_partsize(unsigned char *buf, unsigned long capacity,
 			       i);
 #endif
 			cyl = p->cyl + ((p->sector & 0xc0) << 2);
-			if (cyl > largest_cyl) {
+			if ((largest == NULL) || (cyl > largest_cyl)) {
 				largest_cyl = cyl;
 				largest = p;
 			}