mmap/mmap: Fix integer overflow in binary search

wanda-phi · Daniel Kiper · commit 170221b355de · 2026-02-11T17:24:34.000+01:00
The integer overflow triggered for simple masks in the "badram"
command, such as "badram 0x0000000012340000,0xfffffffffffffff8".
This resulted in an infinite loop, locking up the machine.

Signed-off-by: Wanda Phinode &lt;wanda@phinode.net&gt;
Reviewed-by: Vladimir Serbinenko &lt;phcoder@gmail.com&gt;
Reviewed-by: Sudhakar Kuppusamy &lt;sudhakar@linux.ibm.com&gt;
Reviewed-by: Daniel Kiper &lt;daniel.kiper@oracle.com&gt;
diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
@@ -409,7 +409,7 @@ badram_iter (grub_uint64_t addr, grub_uint64_t size,
       */
       while (high - low > 1)
 	{
-	  cur = (low + high) / 2;
+	  cur = low + (high - low) / 2;
 	  if (fill_mask (entry, cur) >= addr)
 	    high = cur;
 	  else

Original file line number	Diff line number	Diff line change
`@@ -409,7 +409,7 @@ badram_iter (grub_uint64_t addr, grub_uint64_t size,`
`409`	`409`	`*/`
`410`	`410`	`while (high - low > 1)`
`411`	`411`	`{`
`412`		`- cur = (low + high) / 2;`
	`412`	`+ cur = low + (high - low) / 2;`
`413`	`413`	`if (fill_mask (entry, cur) >= addr)`
`414`	`414`	`high = cur;`
`415`	`415`	`else`