[PATCH 2/6] squashfs: more metadata hardening
Ahmad Fatoum
a.fatoum at pengutronix.de
Tue Jul 16 23:33:24 PDT 2024
This is a port of Linux commit d512584780d3e6a7cacb2f482834849453d444a1:
| Author: Linus Torvalds <torvalds at linux-foundation.org>
| AuthorDate: Mon Jul 30 14:27:15 2018 -0700
|
| Anatoly reports another squashfs fuzzing issue, where the decompression
| parameters themselves are in a compressed block.
|
| This causes squashfs_read_data() to be called in order to read the
| decompression options before the decompression stream having been set
| up, making squashfs go sideways.
|
| Reported-by: Anatoly Trosinenko <anatoly.trosinenko at gmail.com>
| Acked-by: Phillip Lougher <phillip.lougher at gmail.com>
| Cc: stable at kernel.org
| Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Reported-by: Richard Weinberger <richard at sigma-star.at>
Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
fs/squashfs/block.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c
index 3e2b9a5ebda8..d65035cead54 100644
--- a/fs/squashfs/block.c
+++ b/fs/squashfs/block.c
@@ -164,6 +164,8 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length,
}
if (compressed) {
+ if (!msblk->stream)
+ goto read_failure;
length = squashfs_decompress(msblk, buf, b, offset, length,
output);
if (length < 0)
--
2.39.2
More information about the barebox
mailing list