[PATCH 5/5] CVE-2025-26721: fs: pstore: fix malloc(size + constant) buffer overflow issues
Sascha Hauer
s.hauer at pengutronix.de
Wed Feb 19 06:18:44 PST 2025
The pattern malloc(size + constant) is dangerous when size can be
manipulated by an attacker. In that case 'size' can be manipulated
in a way that 'size + constant' is 0 due to integer overflow. The
result is a zero sized buffer to which is then data written to.
Avoid this by using struct_size() instead.
Reported-by: Jonathan Bar Or <jonathanbaror at gmail.com>
Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
---
fs/pstore/fs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/pstore/fs.c b/fs/pstore/fs.c
index 24b0fa5c9d..706c2d4684 100644
--- a/fs/pstore/fs.c
+++ b/fs/pstore/fs.c
@@ -62,7 +62,7 @@ int pstore_mkfile(struct pstore_record *record)
return -EEXIST;
}
- private = xzalloc(sizeof(*private) + size);
+ private = xzalloc(struct_size(private, data, size));
private->type = record->type;
private->id = record->id;
private->count = record->count;
--
2.39.5
More information about the barebox
mailing list