On 19.02.25 15:18, Sascha Hauer wrote: > The pattern malloc(size + constant) is dangerous when size can be > manipulated by an attacker. In that case 'size' can be manipulated > in a way that 'size + constant' is 0 due to integer overflow. The > result is a zero sized buffer to which is then data written to. > > Avoid this by using struct_size() instead. > > Reported-by: Jonathan Bar Or <jonathanbaror@xxxxxxxxx> > Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> Reviewed-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx> > --- > fs/pstore/fs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/pstore/fs.c b/fs/pstore/fs.c > index 24b0fa5c9d..706c2d4684 100644 > --- a/fs/pstore/fs.c > +++ b/fs/pstore/fs.c > @@ -62,7 +62,7 @@ int pstore_mkfile(struct pstore_record *record) > return -EEXIST; > } > > - private = xzalloc(sizeof(*private) + size); > + private = xzalloc(struct_size(private, data, size)); > private->type = record->type; > private->id = record->id; > private->count = record->count; -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
