[PATCH] fs/squashfs fix overflow in sqfs_find_inode()
Simon Glass
sjg at chromium.org
Tue Apr 28 15:59:25 CEST 2026
Hi Jared,
On 2026-04-26T20:45:15, Jared Stroud <dllcoolj at archcloudlabs.com> wrote:
> adding overflow check for offset calculation
>
> Signed-off-by: Jared Stroud <dllcoolj at archcloudlabs.com>
>
> fs/squashfs/sqfs_inode.c | 3 +++
> 1 file changed, 3 insertions(+)
> diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c
> @@ -135,6 +135,9 @@ void *sqfs_find_inode(void *inode_table, int inode_number, __le32 inode_count,
> if (sz < 0)
> return NULL;
>
> + if (__builtin_add_overflow(offset, sz, &offset))
> + return NULL;
> +
> offset += sz;
> }
This double-adds sz. __builtin_add_overflow() already stores offset +
sz into offset on success, then the existing offset += sz adds it
again, so every successful iteration walks twice as far through the
inode table. Either drop the trailing offset += sz, or use a temporary
destination and assign on success.
The three new lines also have a leading space before the tab please
run patman or checkpatch to check the patch.
Please use a subsystem prefix and imperative mood on the subject, e.g.
'fs: squashfs: Add overflow check in sqfs_find_inode()', and add a
short body explaining what input triggers the overflow and the
consequence without the check. A Fixes: tag pointing at the original
commit would help too.
Just to check, is there a reproducer (e.g. a crafted squashfs image)
you can mention?
Regards,
Simon
More information about the U-Boot
mailing list