[PATCH 0/4] fix multiple integer overflows in fs

[PATCH 0/4] fix multiple integer overflows in fs

[Timo tp Preißl]

This series fixes integer overflow issues in several filesystem
subsystems of U-Boot. Without these fixes, certain size calculations
could wrap, potentially leading to under-allocation and heap buffer
overflows.


Timo tp Preißl (4):
  fs: prevent integer overflow in fs.c do_mv
  fs: prevent integer overflow in zfs_nvlist_lookup
  fs: prevent integer overflow in sqfs_concat
  fs: prevent integer overflow in ext4fs_get_bgdtable

 fs/ext4/ext4_write.c |  7 ++++++-
 fs/fs.c              | 16 +++++++++++++---
 fs/squashfs/sqfs.c   |  8 ++++++--
 fs/zfs/zfs.c         |  5 ++++-
 4 files changed, 29 insertions(+), 7 deletions(-)

tested on:
make sandbox_defconfig
-- 
2.43.0

[PATCH 1/4] fs: prevent integer overflow in fs.c do_mv

[Timo tp Preißl]

An integer overflow in size calculations could lead to
under-allocation and potential heap buffer overflow.

Signed-off-by: Timo tp Preißl <t.preissl@proton.me>
---
 fs/fs.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/fs/fs.c b/fs/fs.c
index c7706d9af85..319c55c440a 100644
--- a/fs/fs.c
+++ b/fs/fs.c
@@ -1059,15 +1059,25 @@ int do_mv(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[],
 	 */
 	if (dirs) {
 		char *src_name = strrchr(src, '/');
-		int dst_len;
 
 		if (src_name)
 			src_name += 1;
 		else
 			src_name = src;
 
-		dst_len = strlen(dst);
-		new_dst = calloc(1, dst_len + strlen(src_name) + 2);
+		size_t dst_len = strlen(dst);
+		size_t src_len = strlen(src_name);
+		size_t total;
+
+		if (__builtin_add_overflow(dst_len, src_len, &total) ||
+		    __builtin_add_overflow(total, 2, &total)) {
+			return 0;
+		}
+
+		new_dst = calloc(1, total);
+		if (!new_dst)
+			return 0;
+
 		strcpy(new_dst, dst);
 
 		/* If there is already a trailing slash, don't add another */
-- 
2.43.0

[PATCH 2/4] fs: prevent integer overflow in zfs_nvlist_lookup

[Timo tp Preißl]

An integer overflow in nvlist size calculation could lead
to under-allocation and heap buffer overflow.

Signed-off-by: Timo tp Preißl <t.preissl@proton.me>
---
 fs/zfs/zfs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/zfs/zfs.c b/fs/zfs/zfs.c
index 410a61aa611..624f4e48cc8 100644
--- a/fs/zfs/zfs.c
+++ b/fs/zfs/zfs.c
@@ -1627,7 +1627,10 @@ zfs_nvlist_lookup_nvlist(char *nvlist, char *name)
 	 * nvlist to hold the encoding method, and two zero uint32's after the
 	 * nvlist as the NULL terminator.
 	 */
-	ret = calloc(1, size + 3 * sizeof(uint32_t));
+	if (__builtin_add_overflow(size, 3 * sizeof(uint32_t), &alloc))
+		return 0;
+
+	ret = calloc(1, alloc);
 	if (!ret)
 		return 0;
 	memcpy(ret, nvlist, sizeof(uint32_t));
-- 
2.43.0

[PATCH 3/4] fs: prevent integer overflow in sqfs_concat

[Timo tp Preißl]

An integer overflow in length calculation could lead to
under-allocation and buffer overcopy.

Signed-off-by: Timo tp Preißl <t.preissl@proton.me>
---
 fs/squashfs/sqfs.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index 4d3d83b7587..1dc63257fb9 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -254,11 +254,15 @@ static int sqfs_get_tokens_length(char **tokens, int count)
 static char *sqfs_concat_tokens(char **token_list, int token_count)
 {
 	char *result;
-	int i, length = 0, offset = 0;
+	size_t i, length = 0, offset = 0;
+	size_t alloc;
 
 	length = sqfs_get_tokens_length(token_list, token_count);
 
-	result = malloc(length + 1);
+	if (__builtin_add_overflow(length, 1, &alloc))
+		return 0;
+
+	result = malloc(alloc);
 	if (!result)
 		return NULL;
 
-- 
2.43.0

[PATCH 4/4] fs: prevent integer overflow in ext4fs_get_bgdtable

[Timo tp Preißl]

An integer overflow in gdsize_total calculation could lead
to under-allocation and heap buffer overflow.

Signed-off-by: Timo tp Preißl <t.preissl@proton.me>
---
 fs/ext4/ext4_write.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/fs/ext4/ext4_write.c b/fs/ext4/ext4_write.c
index 5b290f0d80d..b826a8807c5 100644
--- a/fs/ext4/ext4_write.c
+++ b/fs/ext4/ext4_write.c
@@ -108,7 +108,12 @@ int ext4fs_get_bgdtable(void)
 {
 	int status;
 	struct ext_filesystem *fs = get_fs();
-	int gdsize_total = ROUND(fs->no_blkgrp * fs->gdsize, fs->blksz);
+	size_t alloc;
+
+	if (__builtin_mul_overflow(fs->no_blkgrp, fs->gdsize, &alloc))
+		return -1;
+
+	size_t gdsize_total = ROUND(alloc, fs->blksz);
 	fs->no_blk_pergdt = gdsize_total / fs->blksz;
 
 	/* allocate memory for gdtable */
-- 
2.43.0

Re: [PATCH 0/4] fix multiple integer overflows in fs

[Yao Zi]

On Mon, Dec 29, 2025 at 07:44:21PM +0000, Timo tp Preißl wrote:
> This series fixes integer overflow issues in several filesystem
> subsystems of U-Boot. Without these fixes, certain size calculations
> could wrap, potentially leading to under-allocation and heap buffer
> overflows.

You should bump the series version when sending a new version of the
series with changes, and provide a changelog and link to the previous
version.

This helps others to distinguish and track different versions of you
patches, and understand what has been changed and what hasn't.

Regards,
Yao Zi

> Timo tp Preißl (4):
>   fs: prevent integer overflow in fs.c do_mv
>   fs: prevent integer overflow in zfs_nvlist_lookup
>   fs: prevent integer overflow in sqfs_concat
>   fs: prevent integer overflow in ext4fs_get_bgdtable
> 
>  fs/ext4/ext4_write.c |  7 ++++++-
>  fs/fs.c              | 16 +++++++++++++---
>  fs/squashfs/sqfs.c   |  8 ++++++--
>  fs/zfs/zfs.c         |  5 ++++-
>  4 files changed, 29 insertions(+), 7 deletions(-)
> 
> tested on:
> make sandbox_defconfig
> -- 
> 2.43.0
> 
>