Djam/u-boot
1
0
Fork 0
mirror of https://github.com/u-boot/u-boot.git synced 2025-04-19 03:15:00 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

ext4: Fix integer overflow in ext4fs_read_symlink()

Browse source 
While zalloc() takes a size_t type, adding 1 to the le32 variable
will overflow.
A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff
and as consequence zalloc() will do a zero allocation.

Later in the function the inode size is again used for copying data.
So an attacker can overwrite memory.

Avoid the overflow by using the __builtin_add_overflow() helper.

Signed-off-by: Richard Weinberger <richard@nod.at>
This commit is contained in:
Richard Weinberger 2024-08-09 11:54:28 +02:00 committed by Tom Rini
parent 048d795bb5
commit 35f75d2a46
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
fs/ext4/ext4_common.c
View file

@ -2181,13 +2181,18 @@ static char *ext4fs_read_symlink(struct ext2fs_node *node)
struct ext2fs_node *diro = node;
int status;
loff_t actread;
size_t alloc_size;
if (!diro->inode_read) {
status = ext4fs_read_inode(diro->data, diro->ino, &diro->inode);
if (status == 0)
return NULL;
}
symlink = zalloc(le32_to_cpu(diro->inode.size) + 1);
if (__builtin_add_overflow(le32_to_cpu(diro->inode.size), 1, &alloc_size))
return NULL;
symlink = zalloc(alloc_size);
if (!symlink)
return NULL;