fs/erofs: fix an integer overflow in symlink resolution

See the original report [1], otherwise len + 1 will be overflowed.

Note that EROFS archive can record arbitary symlink sizes in principle,
so we don't assume a short number like 4096.

[1] https://lore.kernel.org/r/20250210164151.GN1233568@bill-the-cat

Fixes: 830613f8f5bb ("fs/erofs: add erofs filesystem support")
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>

diff --git a/fs/erofs/fs.c b/fs/erofs/fs.c
index 7bd2e8f..dcdc883 100644 (file)
--- a/fs/erofs/fs.c
+++ b/fs/erofs/fs.c
@@ -59,16 +59,19 @@ struct erofs_dir_stream {
 
 static int erofs_readlink(struct erofs_inode *vi)
 {
-       size_t len = vi->i_size;
+       size_t alloc_size;
        char *target;
        int err;
 
-       target = malloc(len + 1);
+       if (__builtin_add_overflow(vi->i_size, 1, &alloc_size))
+               return -EFSCORRUPTED;
+
+       target = malloc(alloc_size);
        if (!target)
                return -ENOMEM;
-       target[len] = '\0';
+       target[vi->i_size] = '\0';
 
-       err = erofs_pread(vi, target, len, 0);
+       err = erofs_pread(vi, target, vi->i_size, 0);
        if (err)
                goto err_out;