squashfs: more metadata hardenings
authorLinus Torvalds <torvalds@linux-foundation.org>
Thu, 2 Aug 2018 15:43:35 +0000 (08:43 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 6 Aug 2018 14:23:03 +0000 (16:23 +0200)
commit52cd8f3790cf1e71b6b38b63735042a014a3ff8a
tree2cb74a6e898b42afeb3171ae986ed6abb34179ca
parent3abef06039cb43e0fe44f3714969af0b9a744dc5
squashfs: more metadata hardenings

commit 71755ee5350b63fb1f283de8561cdb61b47f4d1d upstream.

The squashfs fragment reading code doesn't actually verify that the
fragment is inside the fragment table.  The end result _is_ verified to
be inside the image when actually reading the fragment data, but before
that is done, we may end up taking a page fault because the fragment
table itself might not even exist.

Another report from Anatoly and his endless squashfs image fuzzing.

Reported-by: Анатолий Тросиненко <anatoly.trosinenko@gmail.com>
Acked-by:: Phillip Lougher <phillip.lougher@gmail.com>,
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fs/squashfs/fragment.c
fs/squashfs/squashfs_fs_sb.h
fs/squashfs/super.c