1
linux/fs/squashfs
Phillip Lougher d31638ff6c Squashfs: fix variable overflow in squashfs_readpage_block
Syzbot reports a slab out of bounds access in squashfs_readpage_block().

This is caused by an attempt to read page index 0x2000000000.  This value
(start_index) is stored in an integer loop variable which overflows
producing a value of 0.  This causes a loop which iterates over pages
start_index -> end_index to iterate over 0 -> end_index, which ultimately
causes an out of bounds page array access.

Fix by changing variable to a loff_t, and rename to index to make it
clearer it is a page index, and not a loop count.

Link: https://lkml.kernel.org/r/20241020232200.837231-1-phillip@squashfs.org.uk
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Reported-by: "Lai, Yi" <yi1.lai@linux.intel.com>
Closes: https://lore.kernel.org/all/ZwzcnCAosIPqQ9Ie@ly-workstation/
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2024-10-30 20:14:12 -07:00
..
block.c
cache.c
decompressor_multi_percpu.c squashfs: fix percpu address space issues in decompressor_multi_percpu.c 2024-09-09 16:47:41 -07:00
decompressor_multi.c
decompressor_single.c
decompressor.c
decompressor.h
dir.c
export.c
file_cache.c
file_direct.c Squashfs: fix variable overflow in squashfs_readpage_block 2024-10-30 20:14:12 -07:00
file.c Squashfs: Ensure all readahead pages have been used 2024-08-23 13:11:36 +02:00
fragment.c
id.c
inode.c Squashfs: sanity check symbolic link size 2024-08-13 13:56:46 +02:00
Kconfig
lz4_wrapper.c
lzo_wrapper.c
Makefile
namei.c Squashfs: remove deprecated strncpy by not copying the string 2024-04-25 21:07:05 -07:00
page_actor.c Squashfs: Update page_actor to not use page->index 2024-08-19 14:08:20 +02:00
page_actor.h Squashfs: Ensure all readahead pages have been used 2024-08-23 13:11:36 +02:00
squashfs_fs_i.h
squashfs_fs_sb.h
squashfs_fs.h
squashfs.h
super.c
symlink.c squashfs: convert squashfs_symlink_read_folio to use folio APIs 2024-05-08 08:41:28 -07:00
xattr_id.c
xattr.c
xattr.h
xz_wrapper.c
zlib_wrapper.c
zstd_wrapper.c