From 99416665f006b925db12f6c02b11f9da02c10c5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20tp=20Prei=C3=9Fl?= <t.preissl@proton.me>
Date: Fri, 9 Jan 2026 11:24:45 +0000
Subject: [PATCH 1/4] fs: prevent integer overflow in fs.c do_mv
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

An integer overflow in size calculations could lead to
under-allocation and potential heap buffer overflow.

Signed-off-by: Timo tp Preißl <t.preissl@proton.me>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
---
 fs/fs.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/fs/fs.c b/fs/fs.c
index c7706d9af85..319c55c440a 100644
--- a/fs/fs.c
+++ b/fs/fs.c
@@ -1059,15 +1059,25 @@ int do_mv(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[],
 	 */
 	if (dirs) {
 		char *src_name = strrchr(src, '/');
-		int dst_len;
 
 		if (src_name)
 			src_name += 1;
 		else
 			src_name = src;
 
-		dst_len = strlen(dst);
-		new_dst = calloc(1, dst_len + strlen(src_name) + 2);
+		size_t dst_len = strlen(dst);
+		size_t src_len = strlen(src_name);
+		size_t total;
+
+		if (__builtin_add_overflow(dst_len, src_len, &total) ||
+		    __builtin_add_overflow(total, 2, &total)) {
+			return 0;
+		}
+
+		new_dst = calloc(1, total);
+		if (!new_dst)
+			return 0;
+
 		strcpy(new_dst, dst);
 
 		/* If there is already a trailing slash, don't add another */

From c8f0294285f6588322363e1711bc57118e6fc9a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20tp=20Prei=C3=9Fl?= <t.preissl@proton.me>
Date: Fri, 9 Jan 2026 11:24:51 +0000
Subject: [PATCH 2/4] fs: prevent integer overflow in zfs_nvlist_lookup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

An integer overflow in nvlist size calculation could lead
to under-allocation and heap buffer overflow.

Signed-off-by: Timo tp Preißl <t.preissl@proton.me>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
---
 fs/zfs/zfs.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/zfs/zfs.c b/fs/zfs/zfs.c
index 410a61aa611..c7502c344ff 100644
--- a/fs/zfs/zfs.c
+++ b/fs/zfs/zfs.c
@@ -1617,6 +1617,7 @@ zfs_nvlist_lookup_nvlist(char *nvlist, char *name)
 	char *ret;
 	size_t size;
 	int found;
+	size_t alloc;
 
 	found = nvlist_find_value(nvlist, name, DATA_TYPE_NVLIST, &nvpair,
 							  &size, 0);
@@ -1627,7 +1628,10 @@ zfs_nvlist_lookup_nvlist(char *nvlist, char *name)
 	 * nvlist to hold the encoding method, and two zero uint32's after the
 	 * nvlist as the NULL terminator.
 	 */
-	ret = calloc(1, size + 3 * sizeof(uint32_t));
+	if (__builtin_add_overflow(size, 3 * sizeof(uint32_t), &alloc))
+		return 0;
+
+	ret = calloc(1, alloc);
 	if (!ret)
 		return 0;
 	memcpy(ret, nvlist, sizeof(uint32_t));

From 870aff99a279ed428c5a2560b2441b3079ddb34b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20tp=20Prei=C3=9Fl?= <t.preissl@proton.me>
Date: Fri, 9 Jan 2026 11:24:59 +0000
Subject: [PATCH 3/4] fs: prevent integer overflow in sqfs_concat
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

An integer overflow in length calculation could lead to
under-allocation and buffer overcopy.

Signed-off-by: Timo tp Preißl <t.preissl@proton.me>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
Reviewed-by: João Marcos Costa <joaomarcos.costa@bootlin.com>
---
 fs/squashfs/sqfs.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index 4d3d83b7587..f668c26472e 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -255,10 +255,14 @@ static char *sqfs_concat_tokens(char **token_list, int token_count)
 {
 	char *result;
 	int i, length = 0, offset = 0;
+	size_t alloc;
 
 	length = sqfs_get_tokens_length(token_list, token_count);
 
-	result = malloc(length + 1);
+	if (__builtin_add_overflow(length, 1, &alloc))
+		return 0;
+
+	result = malloc(alloc);
 	if (!result)
 		return NULL;
 

From fc16c847a1c9c6e0ee1f605849cc500a04c21602 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20tp=20Prei=C3=9Fl?= <t.preissl@proton.me>
Date: Fri, 9 Jan 2026 11:25:07 +0000
Subject: [PATCH 4/4] fs: prevent integer overflow in ext4fs_get_bgdtable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

An integer overflow in gdsize_total calculation could lead
to under-allocation and heap buffer overflow.

Signed-off-by: Timo tp Preißl <t.preissl@proton.me>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
---
 fs/ext4/ext4_write.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/fs/ext4/ext4_write.c b/fs/ext4/ext4_write.c
index 5b290f0d80d..1483e9955c0 100644
--- a/fs/ext4/ext4_write.c
+++ b/fs/ext4/ext4_write.c
@@ -108,7 +108,13 @@ int ext4fs_get_bgdtable(void)
 {
 	int status;
 	struct ext_filesystem *fs = get_fs();
-	int gdsize_total = ROUND(fs->no_blkgrp * fs->gdsize, fs->blksz);
+	size_t alloc;
+	size_t gdsize_total;
+
+	if (__builtin_mul_overflow(fs->no_blkgrp, fs->gdsize, &alloc))
+		return -1;
+
+	gdsize_total = ROUND(alloc, fs->blksz);
 	fs->no_blk_pergdt = gdsize_total / fs->blksz;
 
 	/* allocate memory for gdtable */