[V4] squashfs: Add i_size check in squash_read_inode

Message ID	20240802030114.1400462-1-lizhi.xu@windriver.com (mailing list archive)
State	New
Headers	show Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 640983D68; Fri, 2 Aug 2024 03:01:51 +0000 (UTC) From: Lizhi Xu <lizhi.xu@windriver.com> To: <lizhi.xu@windriver.com> CC: <brauner@kernel.org>, <jack@suse.cz>, <linux-fsdevel@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <phillip@squashfs.org.uk>, <squashfs-devel@lists.sourceforge.net>, <syzbot+24ac24ff58dc5b0d26b9@syzkaller.appspotmail.com>, <syzkaller-bugs@googlegroups.com>, <viro@zeniv.linux.org.uk> Subject: [PATCH V4] squashfs: Add i_size check in squash_read_inode Date: Fri, 2 Aug 2024 11:01:14 +0800 Message-ID: <20240802030114.1400462-1-lizhi.xu@windriver.com> In-Reply-To: <20240802015006.900168-1-lizhi.xu@windriver.com> References: <20240802015006.900168-1-lizhi.xu@windriver.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[V4] squashfs: Add i_size check in squash_read_inode \| expand [V4] squashfs: Add i_size check in squash_read_inode

Message ID

20240802030114.1400462-1-lizhi.xu@windriver.com (mailing list archive)

State

New

Headers

From: Lizhi Xu <lizhi.xu@windriver.com>
To: <lizhi.xu@windriver.com>
CC: <brauner@kernel.org>, <jack@suse.cz>, <linux-fsdevel@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>, <phillip@squashfs.org.uk>,
        <squashfs-devel@lists.sourceforge.net>,
        <syzbot+24ac24ff58dc5b0d26b9@syzkaller.appspotmail.com>,
        <syzkaller-bugs@googlegroups.com>, <viro@zeniv.linux.org.uk>
Subject: [PATCH V4] squashfs: Add i_size check in squash_read_inode
Date: Fri, 2 Aug 2024 11:01:14 +0800
Message-ID: <20240802030114.1400462-1-lizhi.xu@windriver.com>
In-Reply-To: <20240802015006.900168-1-lizhi.xu@windriver.com>
References: <20240802015006.900168-1-lizhi.xu@windriver.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

[V4] squashfs: Add i_size check in squash_read_inode | expand

Commit Message

Lizhi Xu Aug. 2, 2024, 3:01 a.m. UTC

syzbot report KMSAN: uninit-value in pick_link, the root cause is that
squashfs_symlink_read_folio did not check the length, resulting in folio
not being initialized and did not return the corresponding error code.

The length is calculated from i_size, so it is necessary to add a check
when i_size is initialized to confirm that its value is correct, otherwise
an error -EINVAL will be returned. Strictly, the check only applies to the
symlink type.

Reported-and-tested-by: syzbot+24ac24ff58dc5b0d26b9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=24ac24ff58dc5b0d26b9
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
---
 fs/squashfs/inode.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Jan Kara Aug. 2, 2024, 9:33 a.m. UTC | #1

On Fri 02-08-24 11:01:14, Lizhi Xu wrote:
> syzbot report KMSAN: uninit-value in pick_link, the root cause is that
> squashfs_symlink_read_folio did not check the length, resulting in folio
> not being initialized and did not return the corresponding error code.
> 
> The length is calculated from i_size, so it is necessary to add a check
> when i_size is initialized to confirm that its value is correct, otherwise
> an error -EINVAL will be returned. Strictly, the check only applies to the
> symlink type.
> 
> Reported-and-tested-by: syzbot+24ac24ff58dc5b0d26b9@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=24ac24ff58dc5b0d26b9
> Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
> ---
>  fs/squashfs/inode.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c
> index 16bd693d0b3a..6c5dd225482f 100644
> --- a/fs/squashfs/inode.c
> +++ b/fs/squashfs/inode.c
> @@ -287,6 +287,11 @@ int squashfs_read_inode(struct inode *inode, long long ino)
>  		inode->i_mode |= S_IFLNK;
>  		squashfs_i(inode)->start = block;
>  		squashfs_i(inode)->offset = offset;
> +		if ((int)inode->i_size < 0) {

Looks good. I think you could actually add even more agressive check like:

		if (inode->i_size > PAGE_SIZE) {

because larger symlink isn't supported by squashfs code anyway.

									Honza

> +			ERROR("Wrong i_size %d!\n", inode->i_size);
> +			return -EINVAL;
> +		}
> +
>  
>  		if (type == SQUASHFS_LSYMLINK_TYPE) {
>  			__le32 xattr;
> -- 
> 2.43.0
>

diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c
index 16bd693d0b3a..6c5dd225482f 100644
--- a/fs/squashfs/inode.c
+++ b/fs/squashfs/inode.c
@@ -287,6 +287,11 @@  int squashfs_read_inode(struct inode *inode, long long ino)
 		inode->i_mode |= S_IFLNK;
 		squashfs_i(inode)->start = block;
 		squashfs_i(inode)->offset = offset;
+		if ((int)inode->i_size < 0) {
+			ERROR("Wrong i_size %d!\n", inode->i_size);
+			return -EINVAL;
+		}
+
 
 		if (type == SQUASHFS_LSYMLINK_TYPE) {
 			__le32 xattr;

[V4] squashfs: Add i_size check in squash_read_inode

Commit Message

Comments

Patch