[PATCH] fs/zfs/zfs.c: prevent integer overflow in zfs_nvlist_lookup_nvlist
Timo tp Preißl
t.preissl at proton.me
Sun Dec 21 14:49:09 CET 2025
Prevent integer overflow when allocating memory for NVList data,
which could otherwise lead to heap corruption when parsing
malformed ZFS metadata.
Signed-off-by: Timo tp Preißl <t.preissl at proton.me>
---
fs/zfs/zfs.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/fs/zfs/zfs.c b/fs/zfs/zfs.c
index 410a61aa611..ee47f222a57 100644
--- a/fs/zfs/zfs.c
+++ b/fs/zfs/zfs.c
@@ -1617,6 +1617,7 @@ zfs_nvlist_lookup_nvlist(char *nvlist, char *name)
char *ret;
size_t size;
int found;
+ size_t alloc;
found = nvlist_find_value(nvlist, name, DATA_TYPE_NVLIST, &nvpair,
&size, 0);
@@ -1627,7 +1628,13 @@ zfs_nvlist_lookup_nvlist(char *nvlist, char *name)
* nvlist to hold the encoding method, and two zero uint32's after the
* nvlist as the NULL terminator.
*/
- ret = calloc(1, size + 3 * sizeof(uint32_t));
+
+
+ if (__builtin_add_overflow(size, 3 * sizeof(uint32_t), &alloc))
+ return 0;
+
+ ret = calloc(1, alloc)
+
if (!ret)
return 0;
memcpy(ret, nvlist, sizeof(uint32_t));
--
2.43.0
More information about the U-Boot
mailing list