fs: prevent integer overflow in zfs_nvlist_lookup

An integer overflow in nvlist size calculation could lead to under-allocation and heap buffer overflow. Signed-off-by: Timo tp Preißl <[email protected]> Reviewed-by: Simon Glass <[email protected]> Reviewed-by: Tom Rini <[email protected]>
author: Timo tp Preißl <[email protected]> 2026-01-09 11:24:51 +0000
committer: Tom Rini <[email protected]> 2026-01-16 13:04:40 -0600
commit: c8f0294285f6588322363e1711bc57118e6fc9a3 (patch)
tree: 3c6f0bf64495b7f753f36b86797914eeccc08826
parent: 99416665f006b925db12f6c02b11f9da02c10c5a (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/fs/zfs/zfs.c b/fs/zfs/zfs.c
index 410a61aa611..c7502c344ff 100644
--- a/fs/zfs/zfs.c
+++ b/fs/zfs/zfs.c
@@ -1617,6 +1617,7 @@ zfs_nvlist_lookup_nvlist(char *nvlist, char *name)
 	char *ret;
 	size_t size;
 	int found;
+	size_t alloc;
 
 	found = nvlist_find_value(nvlist, name, DATA_TYPE_NVLIST, &nvpair,
 							  &size, 0);
@@ -1627,7 +1628,10 @@ zfs_nvlist_lookup_nvlist(char *nvlist, char *name)
 	 * nvlist to hold the encoding method, and two zero uint32's after the
 	 * nvlist as the NULL terminator.
 	 */
-	ret = calloc(1, size + 3 * sizeof(uint32_t));
+	if (__builtin_add_overflow(size, 3 * sizeof(uint32_t), &alloc))
+		return 0;
+
+	ret = calloc(1, alloc);
 	if (!ret)
 		return 0;
 	memcpy(ret, nvlist, sizeof(uint32_t));
author	Timo tp Preißl <[email protected]>	2026-01-09 11:24:51 +0000
committer	Tom Rini <[email protected]>	2026-01-16 13:04:40 -0600
commit	c8f0294285f6588322363e1711bc57118e6fc9a3 (patch)
tree	3c6f0bf64495b7f753f36b86797914eeccc08826
parent	99416665f006b925db12f6c02b11f9da02c10c5a (diff)