Djam/u-boot
1
0
Fork 0
mirror of https://github.com/u-boot/u-boot.git synced 2025-05-04 18:53:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fs/erofs: fix an integer overflow in symlink resolution

Browse source 
See the original report [1], otherwise len + 1 will be overflowed.

Note that EROFS archive can record arbitary symlink sizes in principle,
so we don't assume a short number like 4096.

[1] https://lore.kernel.org/r/20250210164151.GN1233568@bill-the-cat

Fixes: 830613f8f5 ("fs/erofs: add erofs filesystem support")
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
This commit is contained in:
Gao Xiang 2025-02-13 19:28:47 +08:00 committed by Tom Rini
parent cdc67e2750
commit 7a45cb4ffe
1 changed files with 7 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
fs/erofs/fs.c
View file

@ -59,16 +59,19 @@ struct erofs_dir_stream {
static int erofs_readlink(struct erofs_inode *vi) static int erofs_readlink(struct erofs_inode *vi)
{ {
size_t len = vi->i_size; size_t alloc_size;
char *target; char *target;
int err; int err;
target = malloc(len + 1); if (__builtin_add_overflow(vi->i_size, 1, &alloc_size))
return -EFSCORRUPTED;
target = malloc(alloc_size);
if (!target) if (!target)
return -ENOMEM; return -ENOMEM;
target[len] = '\0'; target[vi->i_size] = '\0';
err = erofs_pread(vi, target, len, 0); err = erofs_pread(vi, target, vi->i_size, 0);
if (err) if (err)
goto err_out; goto err_out;