diff options
| author | Phillip Lougher <phillip@squashfs.org.uk> | 2021-02-09 13:42:00 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2021-02-09 17:26:44 -0800 |
| commit | 506220d2ba21791314af569211ffd8870b8208fa (patch) | |
| tree | b627cb280569c5ed0e293dd2ba59ed198ed967f5 /mm/kasan | |
| parent | eabac19e40c095543def79cb6ffeb3a8588aaff4 (diff) | |
| download | linux-506220d2ba21791314af569211ffd8870b8208fa.tar.gz linux-506220d2ba21791314af569211ffd8870b8208fa.tar.bz2 linux-506220d2ba21791314af569211ffd8870b8208fa.zip | |
squashfs: add more sanity checks in xattr id lookup
Sysbot has reported a warning where a kmalloc() attempt exceeds the
maximum limit. This has been identified as corruption of the xattr_ids
count when reading the xattr id lookup table.
This patch adds a number of additional sanity checks to detect this
corruption and others.
1. It checks for a corrupted xattr index read from the inode. This could
be because the metadata block is uncompressed, or because the
"compression" bit has been corrupted (turning a compressed block
into an uncompressed block). This would cause an out of bounds read.
2. It checks against corruption of the xattr_ids count. This can either
lead to the above kmalloc failure, or a smaller than expected
table to be read.
3. It checks the contents of the index table for corruption.
[phillip@squashfs.org.uk: fix checkpatch issue]
Link: https://lkml.kernel.org/r/270245655.754655.1612770082682@webmail.123-reg.co.uk
Link: https://lkml.kernel.org/r/20210204130249.4495-5-phillip@squashfs.org.uk
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Reported-by: syzbot+2ccea6339d368360800d@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'mm/kasan')
0 files changed, 0 insertions, 0 deletions