diff options
| author | Gao Xiang <hsiangkao@linux.alibaba.com> | 2025-02-13 19:28:47 +0800 |
|---|---|---|
| committer | Tom Rini <trini@konsulko.com> | 2025-02-18 12:32:07 -0600 |
| commit | 7a45cb4ffeff034304789954bb222ddd7d02104a (patch) | |
| tree | 94033c48c83cfd548c735cd484856ef0f563844f | |
| parent | cdc67e27500fbde1fc42528c38842e5c5d785a51 (diff) | |
fs/erofs: fix an integer overflow in symlink resolution
See the original report [1], otherwise len + 1 will be overflowed.
Note that EROFS archive can record arbitary symlink sizes in principle,
so we don't assume a short number like 4096.
[1] https://lore.kernel.org/r/20250210164151.GN1233568@bill-the-cat
Fixes: 830613f8f5bb ("fs/erofs: add erofs filesystem support")
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
| -rw-r--r-- | fs/erofs/fs.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/fs/erofs/fs.c b/fs/erofs/fs.c index 7bd2e8fcfc5..dcdc883e34c 100644 --- a/fs/erofs/fs.c +++ b/fs/erofs/fs.c @@ -59,16 +59,19 @@ struct erofs_dir_stream { static int erofs_readlink(struct erofs_inode *vi) { - size_t len = vi->i_size; + size_t alloc_size; char *target; int err; - target = malloc(len + 1); + if (__builtin_add_overflow(vi->i_size, 1, &alloc_size)) + return -EFSCORRUPTED; + + target = malloc(alloc_size); if (!target) return -ENOMEM; - target[len] = '\0'; + target[vi->i_size] = '\0'; - err = erofs_pread(vi, target, len, 0); + err = erofs_pread(vi, target, vi->i_size, 0); if (err) goto err_out; |