From: Richard Weinberger <richard@sigma-star.at>
To: Richard Weinberger <richard@nod.at>, upstream@sigma-star.at
Cc: Jixiong.Hu@mediatek.com, sjg@chromium.org,
patrick.delaunay@foss.st.com, ilias.apalodimas@linaro.org,
seanga2@gmail.com, trini@konsulko.com,
upstream+uboot@sigma-star.at, u-boot@lists.denx.de,
Heinrich Schuchardt <xypron.glpk@gmx.de>
Subject: Re: [PATCH 1/2] ext4: Fix integer overflow in ext4fs_read_symlink()
Date: Fri, 12 Jul 2024 13:14:14 +0200 [thread overview]
Message-ID: <3244366.vfdyTQepKt@somecomputer> (raw)
In-Reply-To: <96973f0e-a185-4758-8e8c-837206c6bdde@gmx.de>
Am Freitag, 12. Juli 2024, 13:10:12 CEST schrieb 'Heinrich Schuchardt' via upstream:
> On 02.07.24 21:42, Richard Weinberger wrote:
> > While zalloc() takes a size_t type, adding 1 to the le32 variable
> > will overflow.
> > A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff
> > and as consequence zalloc() will do a zero allocation.
> >
> > Later in the function the inode size is again used for copying data.
> > So an attacker can overwrite memory.
> >
> > Avoid the overflow by using the __builtin_add_overflow() helper.
> >
> > Signed-off-by: Richard Weinberger <richard@nod.at>
> > ---
> > fs/ext4/ext4_common.c | 7 ++++++-
> > 1 file changed, 6 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c
> > index 2ff0dca249..32364b72fb 100644
> > --- a/fs/ext4/ext4_common.c
> > +++ b/fs/ext4/ext4_common.c
> > @@ -2183,13 +2183,18 @@ static char *ext4fs_read_symlink(struct ext2fs_node *node)
> > struct ext2fs_node *diro = node;
> > int status;
> > loff_t actread;
> > + size_t alloc_size;
> >
> > if (!diro->inode_read) {
> > status = ext4fs_read_inode(diro->data, diro->ino, &diro->inode);
> > if (status == 0)
> > return NULL;
> > }
> > - symlink = zalloc(le32_to_cpu(diro->inode.size) + 1);
> > +
> > + if (__builtin_add_overflow(le32_to_cpu(diro->inode.size), 1, &alloc_size))
>
> U-Boot is freestanding code. You cannot use built-ins.
Hm, I see man built-ins in the U-Boot source.
Why is this one special?
Thanks,
//richard
--
sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT
UID/VAT Nr: ATU 66964118 | FN: 374287y
next prev parent reply other threads:[~2024-07-12 11:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-02 19:42 [PATCH 1/2] ext4: Fix integer overflow in ext4fs_read_symlink() Richard Weinberger
2024-07-02 19:42 ` [PATCH 2/2] ext4: Fix zalloc() Richard Weinberger
2024-07-11 15:45 ` Tom Rini
2024-07-12 7:59 ` Richard Weinberger
2024-07-12 11:15 ` Heinrich Schuchardt
2024-07-12 11:29 ` Richard Weinberger
2024-07-12 11:10 ` [PATCH 1/2] ext4: Fix integer overflow in ext4fs_read_symlink() Heinrich Schuchardt
2024-07-12 11:14 ` Richard Weinberger [this message]
2024-07-12 11:19 ` Heinrich Schuchardt
2024-07-12 11:26 ` Richard Weinberger
2024-07-12 16:54 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3244366.vfdyTQepKt@somecomputer \
--to=richard@sigma-star.at \
--cc=Jixiong.Hu@mediatek.com \
--cc=ilias.apalodimas@linaro.org \
--cc=patrick.delaunay@foss.st.com \
--cc=richard@nod.at \
--cc=seanga2@gmail.com \
--cc=sjg@chromium.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
--cc=upstream+uboot@sigma-star.at \
--cc=upstream@sigma-star.at \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox