| From 8b44ca2b634527151af07447a8090a5f3a043321 Mon Sep 17 00:00:00 2001 |
| From: Phillip Lougher <phillip@squashfs.org.uk> |
| Date: Wed, 24 Mar 2021 21:37:35 -0700 |
| Subject: squashfs: fix xattr id and id lookup sanity checks |
| |
| From: Phillip Lougher <phillip@squashfs.org.uk> |
| |
| commit 8b44ca2b634527151af07447a8090a5f3a043321 upstream. |
| |
| The checks for maximum metadata block size is missing |
| SQUASHFS_BLOCK_OFFSET (the two byte length count). |
| |
| Link: https://lkml.kernel.org/r/2069685113.2081245.1614583677427@webmail.123-reg.co.uk |
| Fixes: f37aa4c7366e23f ("squashfs: add more sanity checks in id lookup") |
| Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk> |
| Cc: Sean Nyekjaer <sean@geanix.com> |
| Cc: <stable@vger.kernel.org> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| fs/squashfs/id.c | 6 ++++-- |
| fs/squashfs/xattr_id.c | 6 ++++-- |
| 2 files changed, 8 insertions(+), 4 deletions(-) |
| |
| --- a/fs/squashfs/id.c |
| +++ b/fs/squashfs/id.c |
| @@ -97,14 +97,16 @@ __le64 *squashfs_read_id_index_table(str |
| start = le64_to_cpu(table[n]); |
| end = le64_to_cpu(table[n + 1]); |
| |
| - if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { |
| + if (start >= end || (end - start) > |
| + (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { |
| kfree(table); |
| return ERR_PTR(-EINVAL); |
| } |
| } |
| |
| start = le64_to_cpu(table[indexes - 1]); |
| - if (start >= id_table_start || (id_table_start - start) > SQUASHFS_METADATA_SIZE) { |
| + if (start >= id_table_start || (id_table_start - start) > |
| + (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { |
| kfree(table); |
| return ERR_PTR(-EINVAL); |
| } |
| --- a/fs/squashfs/xattr_id.c |
| +++ b/fs/squashfs/xattr_id.c |
| @@ -109,14 +109,16 @@ __le64 *squashfs_read_xattr_id_table(str |
| start = le64_to_cpu(table[n]); |
| end = le64_to_cpu(table[n + 1]); |
| |
| - if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { |
| + if (start >= end || (end - start) > |
| + (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { |
| kfree(table); |
| return ERR_PTR(-EINVAL); |
| } |
| } |
| |
| start = le64_to_cpu(table[indexes - 1]); |
| - if (start >= table_start || (table_start - start) > SQUASHFS_METADATA_SIZE) { |
| + if (start >= table_start || (table_start - start) > |
| + (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { |
| kfree(table); |
| return ERR_PTR(-EINVAL); |
| } |