• P
    squashfs: avoid out of bounds writes in decompressors · e812cbbb
    Phillip Lougher 提交于
    Patch series "Squashfs: fix BIO migration regression and add sanity checks".
    
    Patch [1/4] fixes a regression introduced by the "migrate from
    ll_rw_block usage to BIO" patch, which has produced a number of
    Sysbot/Syzkaller reports.
    
    Patches [2/4], [3/4], and [4/4] fix a number of filesystem corruption
    issues which have produced Sysbot reports in the id, inode and xattr
    lookup code.
    
    Each patch has been tested against the Sysbot reproducers using the
    given kernel configuration.  They have the appropriate "Reported-by:"
    lines added.
    
    Additionally, all of the reproducer filesystems are indirectly fixed by
    patch [4/4] due to the fact they all have xattr corruption which is now
    detected there.
    
    Additional testing with other configurations and architectures (32bit,
    big endian), and normal filesystems has also been done to trap any
    inadvertent regressions caused by the additional sanity checks.
    
    This patch (of 4):
    
    This is a regression introduced by the patch "migrate from ll_rw_block
    usage to BIO".
    
    Sysbot/Syskaller has reported a number of "out of bounds writes" and
    "unable to handle kernel paging request in squashfs_decompress" errors
    which have been identified as a regression introduced by the above
    patch.
    
    Specifically, the patch removed the following sanity check
    
            if (length < 0 || length > output->length ||
    		(index + length) > msblk->bytes_used)
    
    This check did two things:
    
    1. It ensured any reads were not beyond the end of the filesystem
    
    2. It ensured that the "length" field read from the filesystem
       was within the expected maximum length.  Without this any
       corrupted values can over-run allocated buffers.
    
    Link: https://lkml.kernel.org/r/20210204130249.4495-1-phillip@squashfs.org.uk
    Link: https://lkml.kernel.org/r/20210204130249.4495-2-phillip@squashfs.org.uk
    Fixes: 93e72b3c ("squashfs: migrate from ll_rw_block usage to BIO")
    Reported-by: syzbot+6fba78f99b9afd4b5634@syzkaller.appspotmail.com
    Signed-off-by: NPhillip Lougher <phillip@squashfs.org.uk>
    Cc: Philippe Liard <pliard@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
    e812cbbb
block.c 5.8 KB