| Message ID | 20231116031352.40853-1-lizhi.xu@windriver.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | squashfs: squashfs_read_data need to check if the length is 0 | expand |
> On 16/11/2023 03:13 GMT Lizhi Xu <lizhi.xu@windriver.com> wrote: > > > when the length passed in is 0, the subsequent process should be exited. > Reproduced and tested. Reviewed-by: Phillip Lougher (phillip@squashfs.org.uk) > Reported-by: syzbot+32d3767580a1ea339a81@syzkaller.appspotmail.com > Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com> > --- > fs/squashfs/block.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c > index 581ce9519339..2dc730800f44 100644 > --- a/fs/squashfs/block.c > +++ b/fs/squashfs/block.c > @@ -321,7 +321,7 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length, > TRACE("Block @ 0x%llx, %scompressed size %d\n", index - 2, > compressed ? "" : "un", length); > } > - if (length < 0 || length > output->length || > + if (length <= 0 || length > output->length || > (index + length) > msblk->bytes_used) { > res = -EIO; > goto out; > -- > 2.25.1
On Thu, 16 Nov 2023 11:13:52 +0800 Lizhi Xu <lizhi.xu@windriver.com> wrote: > when the length passed in is 0, the subsequent process should be exited. Thanks, but when fixing a bug, please always describe the runtime effects of that bug. Amongst other things, other people need this information to be able to decide which kernel versions need patching. > Reported-by: syzbot+32d3767580a1ea339a81@syzkaller.appspotmail.com Which is a reason why we're now adding the "Closes:" tag after Reported-by:. I googled the sysbot email address and so added Closes: https://lkml.kernel.org/r/0000000000000526f2060a30a085@google.com to the changelog. I'll assume that a -stable kernel backport is needed.
On 16/11/2023 21:43, Andrew Morton wrote: > On Thu, 16 Nov 2023 11:13:52 +0800 Lizhi Xu <lizhi.xu@windriver.com> wrote: > >> when the length passed in is 0, the subsequent process should be exited. > > Thanks, but when fixing a bug, please always describe the runtime > effects of that bug. Amongst other things, other people need this > information to be able to decide which kernel versions need patching. > >> Reported-by: syzbot+32d3767580a1ea339a81@syzkaller.appspotmail.com > > Which is a reason why we're now adding the "Closes:" tag after > Reported-by:. Which is also one reason why you should always run scripts/checkpatch.pl on your patch. This alerted me to the need for a "Closes:" tag after Reported-by: on the last patch I sent. > > I googled the sysbot email address and so added > > Closes: https://lkml.kernel.org/r/0000000000000526f2060a30a085@google.com > > to the changelog. Thanks. That is indeed the sysbot issue that the patch fixes. > > I'll assume that a -stable kernel backport is needed. > > Yes. Phillip
diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c index 581ce9519339..2dc730800f44 100644 --- a/fs/squashfs/block.c +++ b/fs/squashfs/block.c @@ -321,7 +321,7 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length, TRACE("Block @ 0x%llx, %scompressed size %d\n", index - 2, compressed ? "" : "un", length); } - if (length < 0 || length > output->length || + if (length <= 0 || length > output->length || (index + length) > msblk->bytes_used) { res = -EIO; goto out;
when the length passed in is 0, the subsequent process should be exited. Reported-by: syzbot+32d3767580a1ea339a81@syzkaller.appspotmail.com Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com> --- fs/squashfs/block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)