fs: prevent integer overflow in ext4fs_get_bgdtable

An integer overflow in gdsize_total calculation could lead
to under-allocation and heap buffer overflow.

Signed-off-by: Timo tp Preißl <t.preissl@proton.me>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
Reviewed-by: Tom Rini <trini@konsulko.com>

diff --git a/fs/ext4/ext4_write.c b/fs/ext4/ext4_write.c
index 5b290f0d80d43a65fc74b4c0c06269f35b7075cf..1483e9955c0d9111b83264501d0ce7bc2a033ab0 100644 (file)
--- a/fs/ext4/ext4_write.c
+++ b/fs/ext4/ext4_write.c
@@ -108,7 +108,13 @@ int ext4fs_get_bgdtable(void)
 {
        int status;
        struct ext_filesystem *fs = get_fs();
-       int gdsize_total = ROUND(fs->no_blkgrp * fs->gdsize, fs->blksz);
+       size_t alloc;
+       size_t gdsize_total;
+
+       if (__builtin_mul_overflow(fs->no_blkgrp, fs->gdsize, &alloc))
+               return -1;
+
+       gdsize_total = ROUND(alloc, fs->blksz);
        fs->no_blk_pergdt = gdsize_total / fs->blksz;
 
        /* allocate memory for gdtable */