Hi Timo, On Wed, 31 Dec 2025 at 06:18, Timo tp Preißl <[email protected]> wrote: > > An integer overflow in nvlist size calculation could lead > to under-allocation and heap buffer overflow. > > Signed-off-by: Timo tp Preißl <[email protected]> > --- > fs/zfs/zfs.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/fs/zfs/zfs.c b/fs/zfs/zfs.c > index 410a61aa611..624f4e48cc8 100644 > --- a/fs/zfs/zfs.c > +++ b/fs/zfs/zfs.c > @@ -1627,7 +1627,10 @@ zfs_nvlist_lookup_nvlist(char *nvlist, char *name) > * nvlist to hold the encoding method, and two zero uint32's after the > * nvlist as the NULL terminator. > */ > - ret = calloc(1, size + 3 * sizeof(uint32_t)); > + if (__builtin_add_overflow(size, 3 * sizeof(uint32_t), &alloc))
I don't see 'alloc' here. Is there another patch? > + return 0; > + > + ret = calloc(1, alloc); > if (!ret) > return 0; > memcpy(ret, nvlist, sizeof(uint32_t)); > -- > 2.43.0 > > Regards, Simon
