squashfs: Fix integer overflow in sqfs_inode_size()

A carefully crafted squashfs filesystem can exhibit an extremly large inode size and overflow the calculation in sqfs_inode_size(). As a consequence, the squashfs driver will read from wrong locations. Fix by using __builtin_add_overflow() to detect the overflow. Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
author: Richard Weinberger <richard@nod.at> 2024-08-02 18:36:45 +0200
committer: Tom Rini <trini@konsulko.com> 2024-08-15 16:14:36 -0600
commit: c8e929e5758999933f9e905049ef2bf3fe6b140d (patch)
tree: 58747ceff98fb274c86f85454f04db1304364371 /fs
parent: 233945eba63e24061dffeeaeb7cd6fe985278356 (diff)
download: u-boot-c8e929e5758999933f9e905049ef2bf3fe6b140d.tar.gz
1 files changed, 7 insertions, 2 deletions
diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c
index d25cfb53e75..bb3ccd37e33 100644
--- a/fs/squashfs/sqfs_inode.c
+++ b/fs/squashfs/sqfs_inode.c
@@ -78,11 +78,16 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size)
 
 	case SQFS_SYMLINK_TYPE:
 	case SQFS_LSYMLINK_TYPE: {
+		int size;
+
 		struct squashfs_symlink_inode *symlink =
 			(struct squashfs_symlink_inode *)inode;
 
-		return sizeof(*symlink) +
-			get_unaligned_le32(&symlink->symlink_size);
+		if (__builtin_add_overflow(sizeof(*symlink),
+		    get_unaligned_le32(&symlink->symlink_size), &size))
+			return -EINVAL;
+
+		return size;
 	}
 
 	case SQFS_BLKDEV_TYPE:
author	Richard Weinberger <richard@nod.at>	2024-08-02 18:36:45 +0200
committer	Tom Rini <trini@konsulko.com>	2024-08-15 16:14:36 -0600
commit	c8e929e5758999933f9e905049ef2bf3fe6b140d (patch)
tree	58747ceff98fb274c86f85454f04db1304364371 /fs
parent	233945eba63e24061dffeeaeb7cd6fe985278356 (diff)
download	u-boot-c8e929e5758999933f9e905049ef2bf3fe6b140d.tar.gz