tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

squashfs: fix xattr id and id lookup sanity checks

The checks for maximum metadata block size is missing
SQUASHFS_BLOCK_OFFSET (the two byte length count).

Link: https://lkml.kernel.org/r/2069685113.2081245.1614583677427@webmail.123-reg.co.uk
Fixes: f37aa4c7366e23f ("squashfs: add more sanity checks in id lookup")
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Cc: Sean Nyekjaer <sean@geanix.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Phillip Lougher and committed by
Linus Torvalds 8b44ca2b c1b20283

+8 -4
+4 -2
fs/squashfs/id.c
··· 97 97 start = le64_to_cpu(table[n]); 98 98 end = le64_to_cpu(table[n + 1]); 99 99 100 - if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { 100 + if (start >= end || (end - start) > 101 + (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { 101 102 kfree(table); 102 103 return ERR_PTR(-EINVAL); 103 104 } 104 105 } 105 106 106 107 start = le64_to_cpu(table[indexes - 1]); 107 - if (start >= id_table_start || (id_table_start - start) > SQUASHFS_METADATA_SIZE) { 108 + if (start >= id_table_start || (id_table_start - start) > 109 + (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { 108 110 kfree(table); 109 111 return ERR_PTR(-EINVAL); 110 112 }
+4 -2
fs/squashfs/xattr_id.c
··· 109 109 start = le64_to_cpu(table[n]); 110 110 end = le64_to_cpu(table[n + 1]); 111 111 112 - if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { 112 + if (start >= end || (end - start) > 113 + (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { 113 114 kfree(table); 114 115 return ERR_PTR(-EINVAL); 115 116 } 116 117 } 117 118 118 119 start = le64_to_cpu(table[indexes - 1]); 119 - if (start >= table_start || (table_start - start) > SQUASHFS_METADATA_SIZE) { 120 + if (start >= table_start || (table_start - start) > 121 + (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { 120 122 kfree(table); 121 123 return ERR_PTR(-EINVAL); 122 124 }