Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1cac63cc authored by Phillip Lougher's avatar Phillip Lougher
Browse files

Squashfs: add sanity checks to fragment reading at mount time 



Fsfuzzer generates corrupted filesystems which throw a warn_on in
kmalloc.  One of these is due to a corrupted superblock fragments field.
Fix this by checking that the number of bytes to be read (and allocated)
does not extend into the next filesystem structure.

Also add a couple of other sanity checks of the mount-time fragment table
structures.

Signed-off-by: default avatarPhillip Lougher <phillip@lougher.demon.co.uk>
parent ac51a0a7

fs/squashfs/fragment.c

+22 −2
Original line number Diff line number Diff line
@@ -71,9 +71,29 @@ int squashfs_frag_lookup(struct super_block *sb, unsigned int fragment, 
 * Read the uncompressed fragment lookup table indexes off disk into memory

 */

__le64 *squashfs_read_fragment_index_table(struct super_block *sb,

	u64 fragment_table_start, unsigned int fragments)

	u64 fragment_table_start, u64 next_table, unsigned int fragments)

{

	unsigned int length = SQUASHFS_FRAGMENT_INDEX_BYTES(fragments);

	__le64 *table;



	return squashfs_read_table(sb, fragment_table_start, length);

	/*

	 * Sanity check, length bytes should not extend into the next table -

	 * this check also traps instances where fragment_table_start is

	 * incorrectly larger than the next table start

	 */

	if (fragment_table_start + length > next_table)

		return ERR_PTR(-EINVAL);



	table = squashfs_read_table(sb, fragment_table_start, length);



	/*

	 * table[0] points to the first fragment table metadata block, this

	 * should be less than fragment_table_start

	 */

	if (!IS_ERR(table) && table[0] >= fragment_table_start) {

		kfree(table);

		return ERR_PTR(-EINVAL);

	}



	return table;

}

fs/squashfs/squashfs.h

+1 −1
Original line number Diff line number Diff line
@@ -57,7 +57,7 @@ extern __le64 *squashfs_read_inode_lookup_table(struct super_block *, u64, u64, 
/* fragment.c */

extern int squashfs_frag_lookup(struct super_block *, unsigned int, u64 *);

extern __le64 *squashfs_read_fragment_index_table(struct super_block *,

				u64, unsigned int);

				u64, u64, unsigned int);



/* id.c */

extern int squashfs_get_id(struct super_block *, unsigned int, unsigned int *);

fs/squashfs/super.c

+2 −1
Original line number Diff line number Diff line
@@ -261,6 +261,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent) 
		msblk->inode_lookup_table = NULL;

		goto failed_mount;

	}

	next_table = msblk->inode_lookup_table[0];



	sb->s_export_op = &squashfs_export_ops;
@@ -278,7 +279,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent) 


	/* Allocate and read fragment index table */

	msblk->fragment_index = squashfs_read_fragment_index_table(sb,

		le64_to_cpu(sblk->fragment_table_start), fragments);

		le64_to_cpu(sblk->fragment_table_start), next_table, fragments);

	if (IS_ERR(msblk->fragment_index)) {

		ERROR("unable to read fragment index table\n");

		err = PTR_ERR(msblk->fragment_index);