All of lore.kernel.org
 help / color / mirror / Atom feed
* Re: [PATCH 1/4] Squashfs: avoid out of bounds writes in decompressors
       [not found] ` <20210204130249.4495-2-phillip@squashfs.org.uk>
@ 2021-02-05  0:53   ` Andrew Morton
  0 siblings, 0 replies; only message in thread
From: Andrew Morton @ 2021-02-05  0:53 UTC (permalink / raw)
  To: Phillip Lougher; +Cc: linux-kernel, syzbot+6fba78f99b9afd4b5634

On Thu,  4 Feb 2021 13:02:46 +0000 Phillip Lougher <phillip@squashfs.org.uk> wrote:

> This is a regression introduced by the patch "migrate from ll_rw_block
> usage to BIO".

Fixes: 93e72b3c612adc ("squashfs: migrate from ll_rw_block usage to BIO")

> Sysbot/Syskaller has reported a number of "out of bounds writes" and
> "unable to handle kernel paging request in squashfs_decompress" errors
> which have been identified as a regression introduced by the above patch.
> 
> Specifically, the patch removed the following sanity check
> 
> if (length < 0 || length > output->length ||
> 		(index + length) > msblk->bytes_used)
> 
> This check did two things:
> 
> 1. It ensured any reads were not beyond the end of the filesystem
> 
> 2. It ensured that the "length" field read from the filesystem
>    was within the expected maximum length.  Without this any
>    corrupted values can over-run allocated buffers.
> 

All sounds fairly serious.  Should I add a cc:stable to this?

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2021-02-05  0:54 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20210204130249.4495-1-phillip@squashfs.org.uk>
     [not found] ` <20210204130249.4495-2-phillip@squashfs.org.uk>
2021-02-05  0:53   ` [PATCH 1/4] Squashfs: avoid out of bounds writes in decompressors Andrew Morton

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.