Djam/u-boot
1
0
Fork 0
mirror of https://github.com/u-boot/u-boot.git synced 2025-04-24 14:25:56 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

squashfs: Fix integer overflow in sqfs_inode_size()

Browse source 
A carefully crafted squashfs filesystem can exhibit an extremly large
inode size and overflow the calculation in sqfs_inode_size().
As a consequence, the squashfs driver will read from wrong locations.

Fix by using __builtin_add_overflow() to detect the overflow.

Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
This commit is contained in:
Richard Weinberger 2024-08-02 18:36:45 +02:00 committed by Tom Rini
parent 233945eba6
commit c8e929e575
1 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
fs/squashfs/sqfs_inode.c
View file

@ -78,11 +78,16 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size)
case SQFS_SYMLINK_TYPE: case SQFS_SYMLINK_TYPE:
case SQFS_LSYMLINK_TYPE: { case SQFS_LSYMLINK_TYPE: {
int size;
struct squashfs_symlink_inode *symlink = struct squashfs_symlink_inode *symlink =
(struct squashfs_symlink_inode *)inode; (struct squashfs_symlink_inode *)inode;
return sizeof(*symlink) + if (__builtin_add_overflow(sizeof(*symlink),
get_unaligned_le32(&symlink->symlink_size); get_unaligned_le32(&symlink->symlink_size), &size))
return -EINVAL;
return size;
} }
case SQFS_BLKDEV_TYPE: case SQFS_BLKDEV_TYPE: