commit 89c59368343965bf563f217f3bcb1f2e664a9dc7
author Gao Xiang <hsiangkao@linux.alibaba.com> Thu Feb 13 19:28:47 2025 +0800
committer Tom Rini <trini@konsulko.com> Tue Feb 18 12:32:07 2025 -0600
tree 94033c48c83cfd548c735cd484856ef0f563844f
parent 8b493a2a061843e9261d5bbb5ee2f5c97be85a1a

fs/erofs: fix an integer overflow in symlink resolution

See the original report [1], otherwise len + 1 will be overflowed.

Note that EROFS archive can record arbitary symlink sizes in principle,
so we don't assume a short number like 4096.

[1] https://lore.kernel.org/r/20250210164151.GN1233568@bill-the-cat

Fixes: 830613f8f5bb ("fs/erofs: add erofs filesystem support")
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>

fs/erofs/fs.c

diff --git a/fs/erofs/fs.c b/fs/erofs/fs.c
index 7bd2e8f..dcdc883 100644
--- a/fs/erofs/fs.c
+++ b/fs/erofs/fs.c
@@ -59,16 +59,19 @@
 
 static int erofs_readlink(struct erofs_inode *vi)
 {
-	size_t len = vi->i_size;
+	size_t alloc_size;
 	char *target;
 	int err;
 
-	target = malloc(len + 1);
+	if (__builtin_add_overflow(vi->i_size, 1, &alloc_size))
+		return -EFSCORRUPTED;
+
+	target = malloc(alloc_size);
 	if (!target)
 		return -ENOMEM;
-	target[len] = '\0';
+	target[vi->i_size] = '\0';
 
-	err = erofs_pread(vi, target, len, 0);
+	err = erofs_pread(vi, target, vi->i_size, 0);
 	if (err)
 		goto err_out;