Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/fs/squashfs
History
Phillip Lougher fdb24a820a Squashfs: check metadata block offset is within range 
Syzkaller reports a "general protection fault in squashfs_copy_data"

This is ultimately caused by a corrupted index look-up table, which
produces a negative metadata block offset.

This is subsequently passed to squashfs_copy_data (via
squashfs_read_metadata) where the negative offset causes an out of bounds
access.

The fix is to check that the offset is within range in
squashfs_read_metadata.  This will trap this and other cases.

Link: https://lkml.kernel.org/r/20260217050955.138351-1-phillip@squashfs.org.uk
Fixes: f400e12656 ("Squashfs: cache operations")
Reported-by: syzbot+a9747fe1c35a5b115d3f@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/699234e2.a70a0220.2c38d7.00e2.GAE@google.com/
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 		2026-02-24 11:13:27 -08:00
..
Kconfig
Makefile
block.c
cache.c Squashfs: check metadata block offset is within range 2026-02-24 11:13:27 -08:00
decompressor.c
decompressor.h
decompressor_multi.c
decompressor_multi_percpu.c
decompressor_single.c
dir.c
export.c
file.c Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses 2026-02-22 08:26:33 -08:00
file_cache.c
file_direct.c
fragment.c
id.c
inode.c
lz4_wrapper.c
lzo_wrapper.c
namei.c
page_actor.c
page_actor.h
squashfs.h
squashfs_fs.h
squashfs_fs_i.h
squashfs_fs_sb.h
super.c
symlink.c
xattr.c
xattr.h
xattr_id.c
xz_wrapper.c
zlib_wrapper.c
zstd_wrapper.c