Hi Timo, On Wed, 31 Dec 2025 at 06:19, Timo tp Preißl <[email protected]> wrote: > > An integer overflow in gdsize_total calculation could lead > to under-allocation and heap buffer overflow. > > Signed-off-by: Timo tp Preißl <[email protected]> > --- > fs/ext4/ext4_write.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/fs/ext4/ext4_write.c b/fs/ext4/ext4_write.c > index 5b290f0d80d..b826a8807c5 100644 > --- a/fs/ext4/ext4_write.c > +++ b/fs/ext4/ext4_write.c > @@ -108,7 +108,12 @@ int ext4fs_get_bgdtable(void) > { > int status; > struct ext_filesystem *fs = get_fs(); > - int gdsize_total = ROUND(fs->no_blkgrp * fs->gdsize, fs->blksz); > + size_t alloc; > + > + if (__builtin_mul_overflow(fs->no_blkgrp, fs->gdsize, &alloc)) > + return -1; > + > + size_t gdsize_total = ROUND(alloc, fs->blksz);
We normally put declarations at the top of the block / function. Apart from that: Reviewed-by: Simon Glass <[email protected]> > fs->no_blk_pergdt = gdsize_total / fs->blksz; > > /* allocate memory for gdtable */ > -- > 2.43.0 > > Regards, Simon
