On Tue, 02 Jul 2024 21:44:27 +0200, Richard Weinberger wrote:
> While zalloc() takes a size_t type, adding 1 to the le32 variable
> will overflow.
> A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff
> and as consequence zalloc() will do a zero allocation.
>
> Later in the function the inode size is again used for copying data.
> So an attacker can overwrite memory.
>
> [...]
Applied, thanks!
[1/1] ext4: Fix integer overflow in ext4fs_read_symlink()
https://git.pengutronix.de/cgit/barebox/commit/?id=a2b76550f7d8 (link may not be stable)
Best regards,
--
Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
