From: Richard Weinberger Date: Fri, 2 Aug 2024 16:36:44 +0000 (+0200) Subject: squashfs: Fix integer overflow in sqfs_resolve_symlink() X-Git-Url: http://git.dujemihanovic.xyz/?a=commitdiff_plain;h=233945eba63e24061dffeeaeb7cd6fe985278356;p=u-boot.git squashfs: Fix integer overflow in sqfs_resolve_symlink() A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff, as a consequence malloc() will do a zero allocation. Later in the function the inode size is again used for copying data. So an attacker can overwrite memory. Avoid the overflow by using the __builtin_add_overflow() helper. Signed-off-by: Richard Weinberger Reviewed-by: Miquel Raynal --- diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c index 1430e671a5..16a07c0622 100644 --- a/fs/squashfs/sqfs.c +++ b/fs/squashfs/sqfs.c @@ -422,8 +422,10 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym, char *resolved, *target; u32 sz; - sz = get_unaligned_le32(&sym->symlink_size); - target = malloc(sz + 1); + if (__builtin_add_overflow(get_unaligned_le32(&sym->symlink_size), 1, &sz)) + return NULL; + + target = malloc(sz); if (!target) return NULL; @@ -431,9 +433,9 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym, * There is no trailling null byte in the symlink's target path, so a * copy is made and a '\0' is added at its end. */ - target[sz] = '\0'; + target[sz - 1] = '\0'; /* Get target name (relative path) */ - strncpy(target, sym->symlink, sz); + strncpy(target, sym->symlink, sz - 1); /* Relative -> absolute path conversion */ resolved = sqfs_get_abs_path(base_path, target);