From 5d7ca74388544bf8c95e104517a9120e94bfe40d Mon Sep 17 00:00:00 2001 From: Richard Weinberger Date: Fri, 2 Aug 2024 18:36:44 +0200 Subject: [PATCH 2/8] squashfs: Fix integer overflow in sqfs_resolve_symlink() A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff, as a consequence malloc() will do a zero allocation. Later in the function the inode size is again used for copying data. So an attacker can overwrite memory. Avoid the overflow by using the __builtin_add_overflow() helper. Signed-off-by: Richard Weinberger Reviewed-by: Miquel Raynal CVE: CVE-2024-57255 Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/233945eba63e24061dffeeaeb7cd6fe985278356] Signed-off-by: Hongxu Jia --- fs/squashfs/sqfs.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c index 1430e671..16a07c06 100644 --- a/fs/squashfs/sqfs.c +++ b/fs/squashfs/sqfs.c @@ -422,8 +422,10 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym, char *resolved, *target; u32 sz; - sz = get_unaligned_le32(&sym->symlink_size); - target = malloc(sz + 1); + if (__builtin_add_overflow(get_unaligned_le32(&sym->symlink_size), 1, &sz)) + return NULL; + + target = malloc(sz); if (!target) return NULL; @@ -431,9 +433,9 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym, * There is no trailling null byte in the symlink's target path, so a * copy is made and a '\0' is added at its end. */ - target[sz] = '\0'; + target[sz - 1] = '\0'; /* Get target name (relative path) */ - strncpy(target, sym->symlink, sz); + strncpy(target, sym->symlink, sz - 1); /* Relative -> absolute path conversion */ resolved = sqfs_get_abs_path(base_path, target); -- 2.34.1