[PATCH v2 4/4] fs: prevent integer overflow in ext4fs_get_bgdtable
Simon Glass
sjg at chromium.org
Thu Jan 8 20:59:16 CET 2026
Hi Timo,
On Wed, 31 Dec 2025 at 06:19, Timo tp Preißl <t.preissl at proton.me> wrote:
>
> An integer overflow in gdsize_total calculation could lead
> to under-allocation and heap buffer overflow.
>
> Signed-off-by: Timo tp Preißl <t.preissl at proton.me>
> ---
> fs/ext4/ext4_write.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ext4/ext4_write.c b/fs/ext4/ext4_write.c
> index 5b290f0d80d..b826a8807c5 100644
> --- a/fs/ext4/ext4_write.c
> +++ b/fs/ext4/ext4_write.c
> @@ -108,7 +108,12 @@ int ext4fs_get_bgdtable(void)
> {
> int status;
> struct ext_filesystem *fs = get_fs();
> - int gdsize_total = ROUND(fs->no_blkgrp * fs->gdsize, fs->blksz);
> + size_t alloc;
> +
> + if (__builtin_mul_overflow(fs->no_blkgrp, fs->gdsize, &alloc))
> + return -1;
> +
> + size_t gdsize_total = ROUND(alloc, fs->blksz);
We normally put declarations at the top of the block / function. Apart
from that:
Reviewed-by: Simon Glass <simon.glass at canonical.com>
> fs->no_blk_pergdt = gdsize_total / fs->blksz;
>
> /* allocate memory for gdtable */
> --
> 2.43.0
>
>
Regards,
Simon
More information about the U-Boot
mailing list