squashfs: Fix integer overflow in sqfs_inode_size() A carefully crafted squashfs filesystem can exhibit an extremly large inode size and overflow the calculation in sqfs_inode_size(). As a consequence, the squashfs driver will read from wrong locations. Fix by using __builtin_add_overflow() to detect the overflow. Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>

commit: 16a19a60300083f4410b20c9bb22451fdfb6893a [log] [tgz]
author: Richard Weinberger <richard@nod.at> Fri Aug 02 18:36:45 2024 +0200
committer: Tom Rini <trini@konsulko.com> Thu Aug 15 16:14:36 2024 -0600
tree: 58747ceff98fb274c86f85454f04db1304364371
parent: 18ef5f3b94048ee4e6849d908a1deed015776734 [diff] [blame]
diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c
index d25cfb5..bb3ccd3 100644
--- a/fs/squashfs/sqfs_inode.c
+++ b/fs/squashfs/sqfs_inode.c

@@ -78,11 +78,16 @@
 
 	case SQFS_SYMLINK_TYPE:
 	case SQFS_LSYMLINK_TYPE: {
+		int size;
+
 		struct squashfs_symlink_inode *symlink =
 			(struct squashfs_symlink_inode *)inode;
 
-		return sizeof(*symlink) +
-			get_unaligned_le32(&symlink->symlink_size);
+		if (__builtin_add_overflow(sizeof(*symlink),
+		    get_unaligned_le32(&symlink->symlink_size), &size))
+			return -EINVAL;
+
+		return size;
 	}
 
 	case SQFS_BLKDEV_TYPE:
commit	16a19a60300083f4410b20c9bb22451fdfb6893a	[log] [tgz]
author	Richard Weinberger <richard@nod.at>	Fri Aug 02 18:36:45 2024 +0200
committer	Tom Rini <trini@konsulko.com>	Thu Aug 15 16:14:36 2024 -0600
tree	58747ceff98fb274c86f85454f04db1304364371
parent	18ef5f3b94048ee4e6849d908a1deed015776734 [diff] [blame]