signed integer overflow happened in the following multiplication, ext_cyl*(end_head+1)*end_sector = 0x41040*(0xff+1)*0x3f = 0xffffc000, the overflow was caught by UBSAN and caused crash to the system, use unsigned int instead of signed int to avoid integer overflow. Signed-off-by: Xiaosen He <quic_xiaosenh@xxxxxxxxxxx> Signed-off-by: Jian Zhou <quic_jianzhou@xxxxxxxxxxx> --- drivers/scsi/scsicam.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/scsi/scsicam.c b/drivers/scsi/scsicam.c index 910f4a7a3924..544a008ea422 100644 --- a/drivers/scsi/scsicam.c +++ b/drivers/scsi/scsicam.c @@ -126,13 +126,14 @@ int scsi_partsize(unsigned char *buf, unsigned long capacity, unsigned int *cyls, unsigned int *hds, unsigned int *secs) { struct partition *p = (struct partition *)buf, *largest = NULL; - int i, largest_cyl; - int cyl, ext_cyl, end_head, end_cyl, end_sector; + int i; + unsigned int largest_cyl = UINT_MAX; + unsigned int cyl, ext_cyl, end_head, end_cyl, end_sector; unsigned int logical_end, physical_end, ext_physical_end; if (*(unsigned short *) (buf + 64) == 0xAA55) { - for (largest_cyl = -1, i = 0; i < 4; ++i, ++p) { + for (i = 0; i < 4; ++i, ++p) { if (!p->sys_ind) continue; #ifdef DEBUG @@ -140,7 +141,7 @@ int scsi_partsize(unsigned char *buf, unsigned long capacity, i); #endif cyl = p->cyl + ((p->sector & 0xc0) << 2); - if (cyl > largest_cyl) { + if ((largest_cyl == UINT_MAX) || (cyl > largest_cyl)) { largest_cyl = cyl; largest = p; } -- 2.34.1