squashfs: more metadata hardening

torvalds · gregkh · commit 953f918d548b · 2018-08-06T16:20:48.000+02:00
commit d512584 upstream. Anatoly reports another squashfs fuzzing issue, where the decompression parameters themselves are in a compressed block. This causes squashfs_read_data() to be called in order to read the decompression options before the decompression stream having been set up, making squashfs go sideways. Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com> Acked-by: Phillip Lougher <phillip.lougher@gmail.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c
@@ -167,6 +167,8 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length,
 	}
 
 	if (compressed) {
+		if (!msblk->stream)
+			goto read_failure;
 		length = squashfs_decompress(msblk, bh, b, offset, length,
 			output);
 		if (length < 0)

Original file line number	Diff line number	Diff line change
`@@ -167,6 +167,8 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length,`
`167`	`167`	`}`
`168`	`168`
`169`	`169`	`if (compressed) {`
	`170`	`+ if (!msblk->stream)`
	`171`	`+ goto read_failure;`
`170`	`172`	`length = squashfs_decompress(msblk, bh, b, offset, length,`
`171`	`173`	`output);`
`172`	`174`	`if (length < 0)`