| From: Linus Torvalds <torvalds@linux-foundation.org> |
| Date: Mon, 30 Jul 2018 14:27:15 -0700 |
| Subject: squashfs: more metadata hardening |
| |
| commit d512584780d3e6a7cacb2f482834849453d444a1 upstream. |
| |
| Anatoly reports another squashfs fuzzing issue, where the decompression |
| parameters themselves are in a compressed block. |
| |
| This causes squashfs_read_data() to be called in order to read the |
| decompression options before the decompression stream having been set |
| up, making squashfs go sideways. |
| |
| Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com> |
| Acked-by: Phillip Lougher <phillip.lougher@gmail.com> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| fs/squashfs/block.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/fs/squashfs/block.c |
| +++ b/fs/squashfs/block.c |
| @@ -166,6 +166,8 @@ int squashfs_read_data(struct super_bloc |
| } |
| |
| if (compressed) { |
| + if (!msblk->stream) |
| + goto read_failure; |
| length = squashfs_decompress(msblk, bh, b, offset, length, |
| output); |
| if (length < 0) |
