41 lines
1.3 KiB
Diff
41 lines
1.3 KiB
Diff
From c8e929e5758999933f9e905049ef2bf3fe6b140d Mon Sep 17 00:00:00 2001
|
|
From: Richard Weinberger <richard@nod.at>
|
|
Date: Fri, 2 Aug 2024 18:36:45 +0200
|
|
Subject: [PATCH] squashfs: Fix integer overflow in sqfs_inode_size()
|
|
|
|
A carefully crafted squashfs filesystem can exhibit an extremly large
|
|
inode size and overflow the calculation in sqfs_inode_size().
|
|
As a consequence, the squashfs driver will read from wrong locations.
|
|
|
|
Fix by using __builtin_add_overflow() to detect the overflow.
|
|
|
|
Signed-off-by: Richard Weinberger <richard@nod.at>
|
|
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
|
|
---
|
|
fs/squashfs/sqfs_inode.c | 9 +++++++--
|
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c
|
|
index d25cfb53e75d..bb3ccd37e33b 100644
|
|
--- a/fs/squashfs/sqfs_inode.c
|
|
+++ b/fs/squashfs/sqfs_inode.c
|
|
@@ -78,11 +78,16 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size)
|
|
|
|
case SQFS_SYMLINK_TYPE:
|
|
case SQFS_LSYMLINK_TYPE: {
|
|
+ int size;
|
|
+
|
|
struct squashfs_symlink_inode *symlink =
|
|
(struct squashfs_symlink_inode *)inode;
|
|
|
|
- return sizeof(*symlink) +
|
|
- get_unaligned_le32(&symlink->symlink_size);
|
|
+ if (__builtin_add_overflow(sizeof(*symlink),
|
|
+ get_unaligned_le32(&symlink->symlink_size), &size))
|
|
+ return -EINVAL;
|
|
+
|
|
+ return size;
|
|
}
|
|
|
|
case SQFS_BLKDEV_TYPE:
|