From: Gao Xiang <hsiangkao@linux.alibaba.com>
Date: Thu, 13 Feb 2025 11:28:47 +0000 (+0800)
Subject: fs/erofs: fix an integer overflow in symlink resolution
X-Git-Tag: v2025.04-rc3~8
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7a45cb4ffeff034304789954bb222ddd7d02104a;p=pandora-u-boot.git

fs/erofs: fix an integer overflow in symlink resolution

See the original report [1], otherwise len + 1 will be overflowed.

Note that EROFS archive can record arbitary symlink sizes in principle,
so we don't assume a short number like 4096.

[1] https://lore.kernel.org/r/20250210164151.GN1233568@bill-the-cat

Fixes: 830613f8f5bb ("fs/erofs: add erofs filesystem support")
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
---

diff --git a/fs/erofs/fs.c b/fs/erofs/fs.c
index 7bd2e8fcfc5..dcdc883e34c 100644
--- a/fs/erofs/fs.c
+++ b/fs/erofs/fs.c
@@ -59,16 +59,19 @@ struct erofs_dir_stream {
 
 static int erofs_readlink(struct erofs_inode *vi)
 {
-	size_t len = vi->i_size;
+	size_t alloc_size;
 	char *target;
 	int err;
 
-	target = malloc(len + 1);
+	if (__builtin_add_overflow(vi->i_size, 1, &alloc_size))
+		return -EFSCORRUPTED;
+
+	target = malloc(alloc_size);
 	if (!target)
 		return -ENOMEM;
-	target[len] = '\0';
+	target[vi->i_size] = '\0';
 
-	err = erofs_pread(vi, target, len, 0);
+	err = erofs_pread(vi, target, vi->i_size, 0);
 	if (err)
 		goto err_out;