linux/fs/squashfs
Phillip Lougher 506220d2ba squashfs: add more sanity checks in xattr id lookup
Sysbot has reported a warning where a kmalloc() attempt exceeds the
maximum limit.  This has been identified as corruption of the xattr_ids
count when reading the xattr id lookup table.

This patch adds a number of additional sanity checks to detect this
corruption and others.

1. It checks for a corrupted xattr index read from the inode.  This could
   be because the metadata block is uncompressed, or because the
   "compression" bit has been corrupted (turning a compressed block
   into an uncompressed block).  This would cause an out of bounds read.

2. It checks against corruption of the xattr_ids count.  This can either
   lead to the above kmalloc failure, or a smaller than expected
   table to be read.

3. It checks the contents of the index table for corruption.

[phillip@squashfs.org.uk: fix checkpatch issue]
  Link: https://lkml.kernel.org/r/270245655.754655.1612770082682@webmail.123-reg.co.uk

Link: https://lkml.kernel.org/r/20210204130249.4495-5-phillip@squashfs.org.uk
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Reported-by: syzbot+2ccea6339d368360800d@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2021-02-09 17:26:44 -08:00
..
block.c squashfs: avoid out of bounds writes in decompressors 2021-02-09 17:26:44 -08:00
cache.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 35 2019-05-24 17:27:11 +02:00
decompressor_multi_percpu.c Merge branch 'akpm' (patches from Andrew) 2020-06-02 12:21:36 -07:00
decompressor_multi.c squashfs: migrate from ll_rw_block usage to BIO 2020-06-02 10:59:05 -07:00
decompressor_single.c squashfs: migrate from ll_rw_block usage to BIO 2020-06-02 10:59:05 -07:00
decompressor.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 35 2019-05-24 17:27:11 +02:00
decompressor.h squashfs: migrate from ll_rw_block usage to BIO 2020-06-02 10:59:05 -07:00
dir.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 35 2019-05-24 17:27:11 +02:00
export.c squashfs: add more sanity checks in inode lookup 2021-02-09 17:26:44 -08:00
file_cache.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 499 2019-06-19 17:09:53 +02:00
file_direct.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 499 2019-06-19 17:09:53 +02:00
file.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 35 2019-05-24 17:27:11 +02:00
fragment.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 35 2019-05-24 17:27:11 +02:00
id.c squashfs: add more sanity checks in id lookup 2021-02-09 17:26:44 -08:00
inode.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 35 2019-05-24 17:27:11 +02:00
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
lz4_wrapper.c squashfs: migrate from ll_rw_block usage to BIO 2020-06-02 10:59:05 -07:00
lzo_wrapper.c squashfs: migrate from ll_rw_block usage to BIO 2020-06-02 10:59:05 -07:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
namei.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 35 2019-05-24 17:27:11 +02:00
page_actor.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 499 2019-06-19 17:09:53 +02:00
page_actor.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 499 2019-06-19 17:09:53 +02:00
squashfs_fs_i.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 35 2019-05-24 17:27:11 +02:00
squashfs_fs_sb.h squashfs: add more sanity checks in id lookup 2021-02-09 17:26:44 -08:00
squashfs_fs.h Squashfs: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
squashfs.h squashfs: migrate from ll_rw_block usage to BIO 2020-06-02 10:59:05 -07:00
super.c squashfs: add more sanity checks in id lookup 2021-02-09 17:26:44 -08:00
symlink.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 35 2019-05-24 17:27:11 +02:00
xattr_id.c squashfs: add more sanity checks in xattr id lookup 2021-02-09 17:26:44 -08:00
xattr.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 35 2019-05-24 17:27:11 +02:00
xattr.h squashfs: add more sanity checks in id lookup 2021-02-09 17:26:44 -08:00
xz_wrapper.c squashfs: migrate from ll_rw_block usage to BIO 2020-06-02 10:59:05 -07:00
zlib_wrapper.c squashfs: migrate from ll_rw_block usage to BIO 2020-06-02 10:59:05 -07:00
zstd_wrapper.c squashfs: migrate from ll_rw_block usage to BIO 2020-06-02 10:59:05 -07:00