[PATCH v2 2/4] fs: prevent integer overflow in zfs_nvlist_lookup
Simon Glass
sjg at chromium.org
Thu Jan 8 20:59:06 CET 2026
Hi Timo,
On Wed, 31 Dec 2025 at 06:18, Timo tp Preißl <t.preissl at proton.me> wrote:
>
> An integer overflow in nvlist size calculation could lead
> to under-allocation and heap buffer overflow.
>
> Signed-off-by: Timo tp Preißl <t.preissl at proton.me>
> ---
> fs/zfs/zfs.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/fs/zfs/zfs.c b/fs/zfs/zfs.c
> index 410a61aa611..624f4e48cc8 100644
> --- a/fs/zfs/zfs.c
> +++ b/fs/zfs/zfs.c
> @@ -1627,7 +1627,10 @@ zfs_nvlist_lookup_nvlist(char *nvlist, char *name)
> * nvlist to hold the encoding method, and two zero uint32's after the
> * nvlist as the NULL terminator.
> */
> - ret = calloc(1, size + 3 * sizeof(uint32_t));
> + if (__builtin_add_overflow(size, 3 * sizeof(uint32_t), &alloc))
I don't see 'alloc' here. Is there another patch?
> + return 0;
> +
> + ret = calloc(1, alloc);
> if (!ret)
> return 0;
> memcpy(ret, nvlist, sizeof(uint32_t));
> --
> 2.43.0
>
>
Regards,
Simon
More information about the U-Boot
mailing list