michael/u-boot
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge patch series "fix integer overflows in filesystem code"

Browse Source 
This series from Timo tp Preißl <t.preissl@proton.me> fixes some
(potential) interger overflows in some filesystems by using
__builtin_XXX_overflow helps to catch issues.

Link: https://lore.kernel.org/r/20260109112428.262793-1-t.preissl@proton.me
This commit is contained in:
Tom Rini
2026-01-16 13:04:47 -06:00
parent 8241bd6a82 fc16c847a1
commit adccdb22eb
4 changed files with 30 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
fs/ext4/ext4_write.c
View File

@@ -108,7 +108,13 @@ int ext4fs_get_bgdtable(void)
{ {
int status; int status;
struct ext_filesystem *fs = get_fs(); struct ext_filesystem *fs = get_fs();
int gdsize_total = ROUND(fs->no_blkgrp * fs->gdsize, fs->blksz); size_t alloc;
size_t gdsize_total;
if (__builtin_mul_overflow(fs->no_blkgrp, fs->gdsize, &alloc))
return -1;
gdsize_total = ROUND(alloc, fs->blksz);
fs->no_blk_pergdt = gdsize_total / fs->blksz; fs->no_blk_pergdt = gdsize_total / fs->blksz;
/* allocate memory for gdtable */ /* allocate memory for gdtable */

16
fs/fs.c
View File

@@ -1059,15 +1059,25 @@ int do_mv(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[],
*/ */
if (dirs) { if (dirs) {
char *src_name = strrchr(src, '/'); char *src_name = strrchr(src, '/');
int dst_len;
if (src_name) if (src_name)
src_name += 1; src_name += 1;
else else
src_name = src; src_name = src;
dst_len = strlen(dst); size_t dst_len = strlen(dst);
new_dst = calloc(1, dst_len + strlen(src_name) + 2); size_t src_len = strlen(src_name);
size_t total;
if (__builtin_add_overflow(dst_len, src_len, &total) ||
__builtin_add_overflow(total, 2, &total)) {
return 0;
}
new_dst = calloc(1, total);
if (!new_dst)
return 0;
strcpy(new_dst, dst); strcpy(new_dst, dst);
/* If there is already a trailing slash, don't add another */ /* If there is already a trailing slash, don't add another */

6
fs/squashfs/sqfs.c
View File

@@ -255,10 +255,14 @@ static char *sqfs_concat_tokens(char **token_list, int token_count)
{ {
char *result; char *result;
int i, length = 0, offset = 0; int i, length = 0, offset = 0;
size_t alloc;
length = sqfs_get_tokens_length(token_list, token_count); length = sqfs_get_tokens_length(token_list, token_count);
result = malloc(length + 1); if (__builtin_add_overflow(length, 1, &alloc))
return 0;
result = malloc(alloc);
if (!result) if (!result)
return NULL; return NULL;

6
fs/zfs/zfs.c
View File

@@ -1617,6 +1617,7 @@ zfs_nvlist_lookup_nvlist(char *nvlist, char *name)
char *ret; char *ret;
size_t size; size_t size;
int found; int found;
size_t alloc;
found = nvlist_find_value(nvlist, name, DATA_TYPE_NVLIST, &nvpair, found = nvlist_find_value(nvlist, name, DATA_TYPE_NVLIST, &nvpair,
&size, 0); &size, 0);
@@ -1627,7 +1628,10 @@ zfs_nvlist_lookup_nvlist(char *nvlist, char *name)
* nvlist to hold the encoding method, and two zero uint32's after the * nvlist to hold the encoding method, and two zero uint32's after the
* nvlist as the NULL terminator. * nvlist as the NULL terminator.
*/ */
ret = calloc(1, size + 3 * sizeof(uint32_t)); if (__builtin_add_overflow(size, 3 * sizeof(uint32_t), &alloc))
return 0;
ret = calloc(1, alloc);
if (!ret) if (!ret)
return 0; return 0;
memcpy(ret, nvlist, sizeof(uint32_t)); memcpy(ret, nvlist, sizeof(uint32_t));