[PATCH] erofs-utils: lib: check readlink() length for symlinks
Vansh Choudhary
ch at vnsh.in
Tue Apr 21 05:07:51 AEST 2026
The symlink path writes inode->i_size bytes from a malloc()'d
readlink() buffer without checking how many bytes readlink()
returned. If the target shortens between lstat() and readlink(),
uninitialised malloc() bytes end up in the image.
Return -EIO on a short readlink().
Fixes: a17497f0844a ("erofs-utils: introduce inode operations")
Signed-off-by: Vansh Choudhary <ch at vnsh.in>
---
lib/inode.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/inode.c b/lib/inode.c
index bac21dc..7c66a39 100644
--- a/lib/inode.c
+++ b/lib/inode.c
@@ -1562,6 +1562,10 @@ static int erofs_mkfs_handle_nondirectory(const struct erofs_mkfs_btctx *btctx,
free(symlink);
return -errno;
}
+ if (ret != inode->i_size) {
+ free(symlink);
+ return -EIO;
+ }
}
ret = erofs_write_file_from_buffer(inode, symlink);
free(symlink);
--
2.43.0
More information about the Linux-erofs
mailing list