* [PATCH] Squashfs: fix xattr id and id lookup sanity checks
@ 2021-03-01 7:27 Phillip Lougher
2021-03-03 0:34 ` Andrew Morton
2021-03-09 5:37 ` Andrew Morton
0 siblings, 2 replies; 5+ messages in thread
From: Phillip Lougher @ 2021-03-01 7:27 UTC (permalink / raw)
To: linux-kernel, Andrew Morton
The checks for maximum metadata block size is
missing SQUASHFS_BLOCK_OFFSET (the two byte length
count).
Cc: stable@vger.kernel.org
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
---
fs/squashfs/id.c | 6 ++++--
fs/squashfs/xattr_id.c | 6 ++++--
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/fs/squashfs/id.c b/fs/squashfs/id.c
index 11581bf31af4..ea5387679723 100644
--- a/fs/squashfs/id.c
+++ b/fs/squashfs/id.c
@@ -97,14 +97,16 @@ __le64 *squashfs_read_id_index_table(struct super_block *sb,
start = le64_to_cpu(table[n]);
end = le64_to_cpu(table[n + 1]);
- if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) {
+ if (start >= end || (end - start) >
+ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) {
kfree(table);
return ERR_PTR(-EINVAL);
}
}
start = le64_to_cpu(table[indexes - 1]);
- if (start >= id_table_start || (id_table_start - start) > SQUASHFS_METADATA_SIZE) {
+ if (start >= id_table_start || (id_table_start - start) >
+ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) {
kfree(table);
return ERR_PTR(-EINVAL);
}
diff --git a/fs/squashfs/xattr_id.c b/fs/squashfs/xattr_id.c
index ead66670b41a..087cab8c78f4 100644
--- a/fs/squashfs/xattr_id.c
+++ b/fs/squashfs/xattr_id.c
@@ -109,14 +109,16 @@ __le64 *squashfs_read_xattr_id_table(struct super_block *sb, u64 table_start,
start = le64_to_cpu(table[n]);
end = le64_to_cpu(table[n + 1]);
- if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) {
+ if (start >= end || (end - start) >
+ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) {
kfree(table);
return ERR_PTR(-EINVAL);
}
}
start = le64_to_cpu(table[indexes - 1]);
- if (start >= table_start || (table_start - start) > SQUASHFS_METADATA_SIZE) {
+ if (start >= table_start || (table_start - start) >
+ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) {
kfree(table);
return ERR_PTR(-EINVAL);
}
--
2.29.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] Squashfs: fix xattr id and id lookup sanity checks
2021-03-01 7:27 [PATCH] Squashfs: fix xattr id and id lookup sanity checks Phillip Lougher
@ 2021-03-03 0:34 ` Andrew Morton
2021-03-03 0:58 ` Phillip Lougher
2021-03-09 5:37 ` Andrew Morton
1 sibling, 1 reply; 5+ messages in thread
From: Andrew Morton @ 2021-03-03 0:34 UTC (permalink / raw)
To: Phillip Lougher; +Cc: linux-kernel
On Mon, 1 Mar 2021 07:27:57 +0000 (GMT) Phillip Lougher <phillip@squashfs.org.uk> wrote:
> The checks for maximum metadata block size is
> missing SQUASHFS_BLOCK_OFFSET (the two byte length
> count).
What are the user visible consequences of this bug?
> Cc: stable@vger.kernel.org
> Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Fixes: f37aa4c7366e23f ("squashfs: add more sanity checks in id lookup")
yes?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Squashfs: fix xattr id and id lookup sanity checks
2021-03-03 0:34 ` Andrew Morton
@ 2021-03-03 0:58 ` Phillip Lougher
0 siblings, 0 replies; 5+ messages in thread
From: Phillip Lougher @ 2021-03-03 0:58 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-kernel
> On 03/03/2021 00:34 Andrew Morton <akpm@linux-foundation.org> wrote:
>
>
> On Mon, 1 Mar 2021 07:27:57 +0000 (GMT) Phillip Lougher <phillip@squashfs.org.uk> wrote:
>
> > The checks for maximum metadata block size is
> > missing SQUASHFS_BLOCK_OFFSET (the two byte length
> > count).
>
> What are the user visible consequences of this bug?
The user will be unable to mount the filesystem, because it will
fail the sanity check.
>
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
>
> Fixes: f37aa4c7366e23f ("squashfs: add more sanity checks in id lookup")
>
> yes?
Yes.
Phillip
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Squashfs: fix xattr id and id lookup sanity checks
2021-03-01 7:27 [PATCH] Squashfs: fix xattr id and id lookup sanity checks Phillip Lougher
2021-03-03 0:34 ` Andrew Morton
@ 2021-03-09 5:37 ` Andrew Morton
1 sibling, 0 replies; 5+ messages in thread
From: Andrew Morton @ 2021-03-09 5:37 UTC (permalink / raw)
To: Phillip Lougher; +Cc: linux-kernel
On Mon, 1 Mar 2021 07:27:57 +0000 (GMT) Phillip Lougher <phillip@squashfs.org.uk> wrote:
> The checks for maximum metadata block size is
> missing SQUASHFS_BLOCK_OFFSET (the two byte length
> count).
There is no definition of SQUASHFS_BLOCK_OFFSET. Makes compiler unhappy.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Squashfs: fix xattr id and id lookup sanity checks
@ 2021-03-09 14:43 Sean Nyekjaer
0 siblings, 0 replies; 5+ messages in thread
From: Sean Nyekjaer @ 2021-03-09 14:43 UTC (permalink / raw)
To: Andrew Morton; +Cc: Phillip Lougher, linux-kernel
Hi Andrew
This patch depends on my patch ([PATCH] squashfs: fix inode lookup sanity checks)
which add's the SQUASHFS_BLOCK_OFFSET :)
/Sean
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-03-09 14:44 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-01 7:27 [PATCH] Squashfs: fix xattr id and id lookup sanity checks Phillip Lougher
2021-03-03 0:34 ` Andrew Morton
2021-03-03 0:58 ` Phillip Lougher
2021-03-09 5:37 ` Andrew Morton
2021-03-09 14:43 Sean Nyekjaer
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.