A carefully crafted squashfs filesystem can exhibit an extremly large
inode size and overflow the calculation in sqfs_inode_size().
As a consequence, the squashfs driver will read from wrong locations.
Fix by using __builtin_add_overflow() to detect the overflow.
Signed-off-by: Richard Weinberger <rich...@nod.at>
Reviewed-by: Miquel Raynal <miquel.ray...@bootlin.com>
---
fs/squashfs/sqfs_inode.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c
index d25cfb53e7..bb3ccd37e3 100644
--- a/fs/squashfs/sqfs_inode.c
+++ b/fs/squashfs/sqfs_inode.c
@@ -78,11 +78,16 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32
blk_size)
case SQFS_SYMLINK_TYPE:
case SQFS_LSYMLINK_TYPE: {
+ int size;
+
struct squashfs_symlink_inode *symlink =
(struct squashfs_symlink_inode *)inode;
- return sizeof(*symlink) +
- get_unaligned_le32(&symlink->symlink_size);
+ if (__builtin_add_overflow(sizeof(*symlink),
+ get_unaligned_le32(&symlink->symlink_size), &size))
+ return -EINVAL;
+
+ return size;
}
case SQFS_BLKDEV_TYPE:
--
2.35.3
