squashfs: Fix integer overflow in sqfs_resolve_symlink()

A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff,
as a consequence malloc() will do a zero allocation.
Later in the function the inode size is again used for copying data.
So an attacker can overwrite memory.
Avoid the overflow by using the __builtin_add_overflow() helper.

Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>

diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index 1430e671a5a83d7b90ea7acb3bbd344b46a276ec..16a07c0622bdc7140370013195974811324cbcbd 100644 (file)
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -422,8 +422,10 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym,
        char *resolved, *target;
        u32 sz;
 
-       sz = get_unaligned_le32(&sym->symlink_size);
-       target = malloc(sz + 1);
+       if (__builtin_add_overflow(get_unaligned_le32(&sym->symlink_size), 1, &sz))
+               return NULL;
+
+       target = malloc(sz);
        if (!target)
                return NULL;
 
@@ -431,9 +433,9 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym,
         * There is no trailling null byte in the symlink's target path, so a
         * copy is made and a '\0' is added at its end.
         */
-       target[sz] = '\0';
+       target[sz - 1] = '\0';
        /* Get target name (relative path) */
-       strncpy(target, sym->symlink, sz);
+       strncpy(target, sym->symlink, sz - 1);
 
        /* Relative -> absolute path conversion */
        resolved = sqfs_get_abs_path(base_path, target);