[PATCH v2] fs/erofs: fix an integer overflow in symlink resolution
Gao Xiang
hsiangkao at linux.alibaba.com
Thu Feb 13 12:28:47 CET 2025
See the original report [1], otherwise len + 1 will be overflowed.
Note that EROFS archive can record arbitary symlink sizes in principle,
so we don't assume a short number like 4096.
[1] https://lore.kernel.org/r/20250210164151.GN1233568@bill-the-cat
Fixes: 830613f8f5bb ("fs/erofs: add erofs filesystem support")
Signed-off-by: Gao Xiang <hsiangkao at linux.alibaba.com>
---
v2:
- use __builtin_add_overflow as Jonathan suggested.
fs/erofs/fs.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/fs/erofs/fs.c b/fs/erofs/fs.c
index 7bd2e8fcfc..dcdc883e34 100644
--- a/fs/erofs/fs.c
+++ b/fs/erofs/fs.c
@@ -59,16 +59,19 @@ struct erofs_dir_stream {
static int erofs_readlink(struct erofs_inode *vi)
{
- size_t len = vi->i_size;
+ size_t alloc_size;
char *target;
int err;
- target = malloc(len + 1);
+ if (__builtin_add_overflow(vi->i_size, 1, &alloc_size))
+ return -EFSCORRUPTED;
+
+ target = malloc(alloc_size);
if (!target)
return -ENOMEM;
- target[len] = '\0';
+ target[vi->i_size] = '\0';
- err = erofs_pread(vi, target, len, 0);
+ err = erofs_pread(vi, target, vi->i_size, 0);
if (err)
goto err_out;
--
2.43.5
More information about the U-Boot
mailing list