MTD: slc-nand: fix signed integer overflow in erase_bootloader [1/1]

PD#SWPL-11771

Problem:
Hackers can use signed integer erase_boot_num to cause systems crash

Solution:
replace signed variable with unsigned variables

Verify:
AXG-S400

Change-Id: I9cc8d8f43c199f48e7d7bff2664bca740681d274
Signed-off-by: xianjun.liu <xianjun.liu@amlogic.com>

diff --git a/drivers/amlogic/mtd/boot.c b/drivers/amlogic/mtd/boot.c
index 4bc0531..98b5cf0 100644 (file)
--- a/drivers/amlogic/mtd/boot.c
+++ b/drivers/amlogic/mtd/boot.c
@@ -664,13 +664,13 @@ WRITE_BAD_BLOCK:
 /* extra char device for bootloader */
 #define AML_CHAR_BOOT_DEV      (0)
 #if (AML_CHAR_BOOT_DEV)
-int erase_bootloader(struct mtd_info *mtd, int boot_num)
+int erase_bootloader(struct mtd_info *mtd, uint32_t boot_num)
 {
        struct nand_chip *chip = mtd->priv;
        struct aml_nand_chip *aml_chip = mtd_to_nand_chip(mtd);
        int page, each_boot_pages, boot_copy_num;
        int pages_per_block;
-       int start_page, end_page;
+       uint32_t start_page, end_page;
        int status;
 
        if (aml_chip->bl_mode)
@@ -920,8 +920,9 @@ static int boot_ioctl(struct file *file, u_int cmd, u_long arg)
        struct uboot_file_info *ufi = file->private_data;
        struct mtd_info *mtd = ufi->mtd;
        void __user *argp = (void __user *)arg;
-       int ret = 0, erase_boot_num = 0;
+       int ret = 0;
        u_long size;
+       uint32_t erase_boot_num = 0;
 
        pr_debug("boot_ioctl\n");
 
@@ -1017,7 +1018,7 @@ static long boot_compat_ioctl(struct file *file, uint32_t cmd,
        }
        case BOOT_ERASE_INFO32:
        {
-               int erase_boot_num;
+               uint32_t erase_boot_num;
 
                if (copy_from_user(&erase_boot_num, argp, sizeof(int)))
                        ret = -EFAULT;