[PATCH] fs/erofs: fix an integer overflow in symlink resolution
Gao Xiang
hsiangkao at linux.alibaba.com
Wed Feb 12 20:30:57 AEDT 2025
See the original report [1], otherwise len + 1 will be overflowed.
Note that EROFS archive can record arbitary symlink sizes in principle,
so we don't assume a short number like 4096.
[1] https://lore.kernel.org/r/20250210164151.GN1233568@bill-the-cat
Fixes: 830613f8f5bb ("fs/erofs: add erofs filesystem support")
Signed-off-by: Gao Xiang <hsiangkao at linux.alibaba.com>
---
fs/erofs/fs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/erofs/fs.c b/fs/erofs/fs.c
index 7bd2e8fcfc..64a6c8cad8 100644
--- a/fs/erofs/fs.c
+++ b/fs/erofs/fs.c
@@ -63,6 +63,9 @@ static int erofs_readlink(struct erofs_inode *vi)
char *target;
int err;
+ if (len >= SIZE_MAX)
+ return -EFSCORRUPTED;
+
target = malloc(len + 1);
if (!target)
return -ENOMEM;
--
2.43.5
More information about the Linux-erofs
mailing list