squashfs: be more careful about metadata corruption

commit 01cfb7937a9af2abb1136c7e89fbf3fd92952956 upstream. Anatoly Trosinenko reports that a corrupted squashfs image can cause a kernel oops. It turns out that squashfs can end up being confused about negative fragment lengths. The regular squashfs_read_data() does check for negative lengths, but squashfs_read_metadata() did not, and the fragment size code just blindly trusted the on-disk value. Fix both the fragment parsing and the metadata reading code. Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Phillip Lougher <phillip@squashfs.org.uk> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Linus Torvalds <torvalds@linux-foundation.org> 2018-07-29 12:44:46 -0700
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-08-06 16:24:40 +0200
commit: d0f02f70b31306f98619aa7532613008507deda5 (patch)
tree: e74ee81838519e3732881d33ecb9f13e31307fe1 /fs/squashfs/cache.c
parent: 1ed4ccaf052ec2fe00043759a284921e468687c3 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/squashfs/cache.c b/fs/squashfs/cache.c
index 1cb70a0b2168..91ce49c05b7c 100644
--- a/fs/squashfs/cache.c
+++ b/fs/squashfs/cache.c
@@ -350,6 +350,9 @@ int squashfs_read_metadata(struct super_block *sb, void *buffer,
 
 	TRACE("Entered squashfs_read_metadata [%llx:%x]\n", *block, *offset);
 
+	if (unlikely(length < 0))
+		return -EIO;
+
 	while (length) {
 		entry = squashfs_cache_get(sb, msblk->block_cache, *block, 0);
 		if (entry->error) {
author	Linus Torvalds <torvalds@linux-foundation.org>	2018-07-29 12:44:46 -0700
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-08-06 16:24:40 +0200
commit	d0f02f70b31306f98619aa7532613008507deda5 (patch)
tree	e74ee81838519e3732881d33ecb9f13e31307fe1 /fs/squashfs/cache.c
parent	1ed4ccaf052ec2fe00043759a284921e468687c3 (diff)