[PATCH 4/5] CVE-2025-26725: fs: jffs2: fix malloc(size + constant) buffer overflow issues

mail archive of the barebox mailing list
 help / color / mirror / Atom feed

From: Sascha Hauer <s.hauer@pengutronix.de>
To: Barebox List <barebox@lists.infradead.org>
Cc: Jonathan Bar Or <jonathanbaror@gmail.com>
Subject: [PATCH 4/5] CVE-2025-26725: fs: jffs2: fix malloc(size + constant) buffer overflow issues
Date: Wed, 19 Feb 2025 15:18:43 +0100	[thread overview]
Message-ID: <20250219141844.1912413-5-s.hauer@pengutronix.de> (raw)
In-Reply-To: <20250219141844.1912413-1-s.hauer@pengutronix.de>

The pattern malloc(size + constant) is dangerous when size can be
manipulated by an attacker. In that case 'size' can be manipulated
in a way that 'size + constant' is 0 due to integer overflow. The
result is a zero sized buffer to which is then data written to.

Avoid this by using size_add() and struct_size() instead.

Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 fs/jffs2/malloc.c    | 4 ++--
 fs/jffs2/nodelist.h  | 2 +-
 fs/jffs2/readinode.c | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/fs/jffs2/malloc.c b/fs/jffs2/malloc.c
index e0e29fa648..61c2430c18 100644
--- a/fs/jffs2/malloc.c
+++ b/fs/jffs2/malloc.c
@@ -15,10 +15,10 @@
 #include <linux/jffs2.h>
 #include "nodelist.h"
 
-struct jffs2_full_dirent *jffs2_alloc_full_dirent(int namesize)
+struct jffs2_full_dirent *jffs2_alloc_full_dirent(size_t namesize)
 {
 	struct jffs2_full_dirent *ret;
-	ret = kmalloc(sizeof(*ret) + namesize, GFP_KERNEL);
+	ret = kmalloc(struct_size(ret, name, namesize), GFP_KERNEL);
 	dbg_memalloc("%p\n", ret);
 	return ret;
 }
diff --git a/fs/jffs2/nodelist.h b/fs/jffs2/nodelist.h
index d8687319c7..28b35d6d58 100644
--- a/fs/jffs2/nodelist.h
+++ b/fs/jffs2/nodelist.h
@@ -440,7 +440,7 @@ void jffs2_do_clear_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f);
 
 /* malloc.c */
 
-struct jffs2_full_dirent *jffs2_alloc_full_dirent(int namesize);
+struct jffs2_full_dirent *jffs2_alloc_full_dirent(size_t namesize);
 void jffs2_free_full_dirent(struct jffs2_full_dirent *);
 struct jffs2_full_dnode *jffs2_alloc_full_dnode(void);
 void jffs2_free_full_dnode(struct jffs2_full_dnode *dnode);
diff --git a/fs/jffs2/readinode.c b/fs/jffs2/readinode.c
index 605130d60c..4634ee5818 100644
--- a/fs/jffs2/readinode.c
+++ b/fs/jffs2/readinode.c
@@ -601,7 +601,7 @@ static inline int read_direntry(struct jffs2_sb_info *c, struct jffs2_raw_node_r
 		spin_unlock(&c->erase_completion_lock);
 	}
 
-	fd = jffs2_alloc_full_dirent(rd->nsize + 1);
+	fd = jffs2_alloc_full_dirent(size_add(rd->nsize, 1));
 	if (unlikely(!fd))
 		return -ENOMEM;
 
-- 
2.39.5

next prev parent reply	other threads:[~2025-02-19 15:26 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-19 14:18 [PATCH 0/5] Filesystem memory corruption fixes Sascha Hauer
2025-02-19 14:18 ` [PATCH 1/5] CVE-2025-26722: fs: squashfs: Ensure positive inode length Sascha Hauer
2025-02-19 16:49   ` Ahmad Fatoum
2025-02-19 14:18 ` [PATCH 2/5] CVE-2025-26724: fs: cramfs: fix malloc(size + constant) buffer overflow issues Sascha Hauer
2025-02-19 16:50   ` Ahmad Fatoum
2025-02-19 14:18 ` [PATCH 3/5] CVE-2025-26723: fs: ext4: " Sascha Hauer
2025-02-19 16:51   ` Ahmad Fatoum
2025-02-19 14:18 ` Sascha Hauer [this message]
2025-02-19 16:54   ` [PATCH 4/5] CVE-2025-26725: fs: jffs2: " Ahmad Fatoum
2025-02-19 14:18 ` [PATCH 5/5] CVE-2025-26721: fs: pstore: " Sascha Hauer
2025-02-19 16:54   ` Ahmad Fatoum
2025-02-19 16:47 ` [PATCH 0/5] Filesystem memory corruption fixes Ahmad Fatoum
2025-02-21  7:33 ` Sascha Hauer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250219141844.1912413-5-s.hauer@pengutronix.de \
    --to=s.hauer@pengutronix.de \
    --cc=barebox@lists.infradead.org \
    --cc=jonathanbaror@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox