Re: [PATCH v3 2/4] fs: prevent integer overflow in zfs_nvlist_lookup

Mon, 12 Jan 2026 15:38:45 -0800 

On Fri, 9 Jan 2026 at 06:08, Timo tp Preißl <[email protected]> wrote:
>
> An integer overflow in nvlist size calculation could lead
> to under-allocation and heap buffer overflow.
>
> Signed-off-by: Timo tp Preißl <[email protected]>
> ---
>  fs/zfs/zfs.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>

Reviewed-by: Simon Glass <[email protected]>


> diff --git a/fs/zfs/zfs.c b/fs/zfs/zfs.c
> index 410a61aa611..c7502c344ff 100644
> --- a/fs/zfs/zfs.c
> +++ b/fs/zfs/zfs.c
> @@ -1617,6 +1617,7 @@ zfs_nvlist_lookup_nvlist(char *nvlist, char *name)
>         char *ret;
>         size_t size;
>         int found;
> +       size_t alloc;
>
>         found = nvlist_find_value(nvlist, name, DATA_TYPE_NVLIST, &nvpair,
>                                                           &size, 0);
> @@ -1627,7 +1628,10 @@ zfs_nvlist_lookup_nvlist(char *nvlist, char *name)
>          * nvlist to hold the encoding method, and two zero uint32's after the
>          * nvlist as the NULL terminator.
>          */
> -       ret = calloc(1, size + 3 * sizeof(uint32_t));
> +       if (__builtin_add_overflow(size, 3 * sizeof(uint32_t), &alloc))
> +               return 0;
> +
> +       ret = calloc(1, alloc);
>         if (!ret)
>                 return 0;
>         memcpy(ret, nvlist, sizeof(uint32_t));
> --
> 2.43.0
>
>

Reply via email to