From: Paul Meyer <katexochen0@gmail.com>
Date: Sat, 13 Jun 2026 09:24:13 +0000 (+0200)
Subject: vmspawn: reject oversized fstab.extra credential before int-cast merge
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4f6ce566e16ead262f49b0ca18b87b933486cdc6;p=thirdparty%2Fsystemd.git

vmspawn: reject oversized fstab.extra credential before int-cast merge

The fstab.extra merge prepends the existing credential via
asprintf("%.*s", (int) existing->size, …). MachineCredential.size is
size_t, so for a credential >INT_MAX the (int) cast yields a negative
precision, which C treats as omitted — turning %.*s into an unbounded
read past the allocation. Reject such a credential up front with EFBIG;
for all realistic sizes the merge is unchanged.

Co-developed-by: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Paul Meyer <katexochen0@gmail.com>
---

diff --git a/src/vmspawn/vmspawn.c b/src/vmspawn/vmspawn.c
index 70dcc9914a3..55c650af1b5 100644
--- a/src/vmspawn/vmspawn.c
+++ b/src/vmspawn/vmspawn.c
@@ -3305,6 +3305,11 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) {
                 if (existing) {
                         _cleanup_free_ char *combined = NULL;
 
+                        if (existing->size >= INT_MAX)
+                                return log_error_errno(SYNTHETIC_ERRNO(EFBIG),
+                                                       "Existing fstab.extra credential is too large (%zu bytes).",
+                                                       existing->size);
+
                         if (existing->size > 0 && existing->data[existing->size - 1] != '\n')
                                 r = asprintf(&combined, "%.*s\n%s", (int) existing->size, existing->data, fstab_extra);
                         else