47 lines
1.7 KiB
Diff
47 lines
1.7 KiB
Diff
From 233945eba63e24061dffeeaeb7cd6fe985278356 Mon Sep 17 00:00:00 2001
|
|
From: Richard Weinberger <richard@nod.at>
|
|
Date: Fri, 2 Aug 2024 18:36:44 +0200
|
|
Subject: [PATCH] squashfs: Fix integer overflow in sqfs_resolve_symlink()
|
|
|
|
A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff,
|
|
as a consequence malloc() will do a zero allocation.
|
|
Later in the function the inode size is again used for copying data.
|
|
So an attacker can overwrite memory.
|
|
Avoid the overflow by using the __builtin_add_overflow() helper.
|
|
|
|
Signed-off-by: Richard Weinberger <richard@nod.at>
|
|
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
|
|
---
|
|
fs/squashfs/sqfs.c | 10 ++++++----
|
|
1 file changed, 6 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
|
|
index 1430e671a5a8..16a07c0622bd 100644
|
|
--- a/fs/squashfs/sqfs.c
|
|
+++ b/fs/squashfs/sqfs.c
|
|
@@ -422,8 +422,10 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym,
|
|
char *resolved, *target;
|
|
u32 sz;
|
|
|
|
- sz = get_unaligned_le32(&sym->symlink_size);
|
|
- target = malloc(sz + 1);
|
|
+ if (__builtin_add_overflow(get_unaligned_le32(&sym->symlink_size), 1, &sz))
|
|
+ return NULL;
|
|
+
|
|
+ target = malloc(sz);
|
|
if (!target)
|
|
return NULL;
|
|
|
|
@@ -431,9 +433,9 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym,
|
|
* There is no trailling null byte in the symlink's target path, so a
|
|
* copy is made and a '\0' is added at its end.
|
|
*/
|
|
- target[sz] = '\0';
|
|
+ target[sz - 1] = '\0';
|
|
/* Get target name (relative path) */
|
|
- strncpy(target, sym->symlink, sz);
|
|
+ strncpy(target, sym->symlink, sz - 1);
|
|
|
|
/* Relative -> absolute path conversion */
|
|
resolved = sqfs_get_abs_path(base_path, target);
|