[PATCH 1/4] squashfs: Fix integer overflow in sqfs_resolve_symlink()
Miquel Raynal
miquel.raynal at bootlin.com
Wed Jul 17 09:59:08 CEST 2024
Hi Richard,
richard at nod.at wrote on Fri, 12 Jul 2024 10:23:41 +0200:
> A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff,
> as a consequence malloc() will do a zero allocation.
> Later in the function the inode size is again used for copying data.
> So an attacker can overwrite memory.
> Avoid the overflow by using the __builtin_add_overflow() helper.
>
> Signed-off-by: Richard Weinberger <richard at nod.at>
Good catch.
Reviewed-by: Miquel Raynal <miquel.raynal at bootlin.com>
Thanks,
Miquèl
More information about the U-Boot
mailing list