[PATCH v2 1/3] ext4: Fix integer overflow in ext4fs_read_symlink()
Tom Rini
trini at konsulko.com
Fri Aug 16 05:47:29 CEST 2024
On Fri, 09 Aug 2024 11:54:28 +0200, Richard Weinberger wrote:
> While zalloc() takes a size_t type, adding 1 to the le32 variable
> will overflow.
> A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff
> and as consequence zalloc() will do a zero allocation.
>
> Later in the function the inode size is again used for copying data.
> So an attacker can overwrite memory.
>
> [...]
Applied to u-boot/next, thanks!
--
Tom
More information about the U-Boot
mailing list