17 Jul
2024
17 Jul
'24
9:59 a.m.
Hi Richard,
richard@nod.at wrote on Fri, 12 Jul 2024 10:23:41 +0200:
A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff, as a consequence malloc() will do a zero allocation. Later in the function the inode size is again used for copying data. So an attacker can overwrite memory. Avoid the overflow by using the __builtin_add_overflow() helper.
Signed-off-by: Richard Weinberger richard@nod.at
Good catch.
Reviewed-by: Miquel Raynal miquel.raynal@bootlin.com
Thanks, Miquèl