From c8f0294285f6588322363e1711bc57118e6fc9a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20tp=20Prei=C3=9Fl?= <t.preissl@proton.me>
Date: Fri, 9 Jan 2026 11:24:51 +0000
Subject: [PATCH] fs: prevent integer overflow in zfs_nvlist_lookup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

An integer overflow in nvlist size calculation could lead
to under-allocation and heap buffer overflow.

Signed-off-by: Timo tp Preißl <t.preissl@proton.me>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
---
 fs/zfs/zfs.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/zfs/zfs.c b/fs/zfs/zfs.c
index 410a61aa611..c7502c344ff 100644
--- a/fs/zfs/zfs.c
+++ b/fs/zfs/zfs.c
@@ -1617,6 +1617,7 @@ zfs_nvlist_lookup_nvlist(char *nvlist, char *name)
 	char *ret;
 	size_t size;
 	int found;
+	size_t alloc;
 
 	found = nvlist_find_value(nvlist, name, DATA_TYPE_NVLIST, &nvpair,
 							  &size, 0);
@@ -1627,7 +1628,10 @@ zfs_nvlist_lookup_nvlist(char *nvlist, char *name)
 	 * nvlist to hold the encoding method, and two zero uint32's after the
 	 * nvlist as the NULL terminator.
 	 */
-	ret = calloc(1, size + 3 * sizeof(uint32_t));
+	if (__builtin_add_overflow(size, 3 * sizeof(uint32_t), &alloc))
+		return 0;
+
+	ret = calloc(1, alloc);
 	if (!ret)
 		return 0;
 	memcpy(ret, nvlist, sizeof(uint32_t));