From 33235632835189e687a0ede87fa6f1a652cfbe4d Mon Sep 17 00:00:00 2001 From: Richard Weinberger Date: Fri, 9 Aug 2024 11:54:28 +0200 Subject: [PATCH] [PATCH] ext4: Fix integer overflow in ext4fs_read_symlink() While zalloc() takes a size_t type, adding 1 to the le32 variable will overflow. A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff and as consequence zalloc() will do a zero allocation. Later in the function the inode size is again used for copying data. So an attacker can overwrite memory. Avoid the overflow by using the __builtin_add_overflow() helper. Signed-off-by: Richard Weinberger Reviewed-By: Daniel Leidert Origin: https://source.denx.de/u-boot/u-boot/-/commit/35f75d2a46e5859138c83a75cd2f4141c5479ab9 Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2 Bug-Debian: https://bugs.debian.org/1098254 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57256 Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57256 Gbp-Pq: Name CVE-2024-57256.patch --- fs/ext4/ext4_common.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c index c52cc400e..6c4f8dcdf 100644 --- a/fs/ext4/ext4_common.c +++ b/fs/ext4/ext4_common.c @@ -2183,13 +2183,17 @@ static char *ext4fs_read_symlink(struct ext2fs_node *node) struct ext2fs_node *diro = node; int status; loff_t actread; + size_t alloc_size; if (!diro->inode_read) { status = ext4fs_read_inode(diro->data, diro->ino, &diro->inode); if (status == 0) return NULL; } - symlink = zalloc(le32_to_cpu(diro->inode.size) + 1); + if (__builtin_add_overflow(le32_to_cpu(diro->inode.size), 1, &alloc_size)) + return NULL; + + symlink = zalloc(alloc_size); if (!symlink) return NULL; -- 2.30.2