| Message ID | 20240802111640.2762325-1-lizhi.xu@windriver.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [V5] squashfs: Add i_size check in squash_read_inode | expand |
On Fri, Aug 02, 2024 at 07:16:40PM +0800, Lizhi Xu wrote: > syzbot report KMSAN: uninit-value in pick_link, the root cause is that > squashfs_symlink_read_folio did not check the length, resulting in folio > not being initialized and did not return the corresponding error code. > > The length is calculated from i_size, so it is necessary to add a check > when i_size is initialized to confirm that its value is correct, otherwise > an error -EINVAL will be returned. Strictly, the check only applies to the > symlink type. Add larger symlink check. > > Reported-and-tested-by: syzbot+24ac24ff58dc5b0d26b9@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=24ac24ff58dc5b0d26b9 > Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com> > --- > fs/squashfs/inode.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c > index 16bd693d0b3a..6c5dd225482f 100644 > --- a/fs/squashfs/inode.c > +++ b/fs/squashfs/inode.c > @@ -287,6 +287,11 @@ int squashfs_read_inode(struct inode *inode, long long ino) > inode->i_mode |= S_IFLNK; > squashfs_i(inode)->start = block; > squashfs_i(inode)->offset = offset; > + if ((int)inode->i_size < 0 || inode->i_size > PAGE_SIZE) { > + ERROR("Wrong i_size %d!\n", inode->i_size); > + return -EINVAL; > + } ITYM something like if (le32_to_cpu(sqsh_ino->symlink_size) > PAGE_SIZE) { ERROR("Corrupted symlink\n"); return -EINVAL; }
On Fri, 2 Aug 2024 14:52:14 +0100, Al Viro wrote: > > + ERROR("Wrong i_size %d!\n", inode->i_size); > > + return -EINVAL; > > + } > > ITYM something like I do not recommend this type of code, as it would add unnecessary calls to le32_o_cpu compared to directly using i_size. > if (le32_to_cpu(sqsh_ino->symlink_size) > PAGE_SIZE) { > ERROR("Corrupted symlink\n"); > return -EINVAL; > } -- Lizhi
On Fri, Aug 02, 2024 at 10:44:15PM +0800, Lizhi Xu wrote: > On Fri, 2 Aug 2024 14:52:14 +0100, Al Viro wrote: > > > + ERROR("Wrong i_size %d!\n", inode->i_size); > > > + return -EINVAL; > > > + } > > > > ITYM something like > I do not recommend this type of code, as it would add unnecessary calls > to le32_o_cpu compared to directly using i_size. > > if (le32_to_cpu(sqsh_ino->symlink_size) > PAGE_SIZE) { > > ERROR("Corrupted symlink\n"); > > return -EINVAL; > > } You do realize that it's inlined, right? Seriously, compare the generated code...
diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c index 16bd693d0b3a..6c5dd225482f 100644 --- a/fs/squashfs/inode.c +++ b/fs/squashfs/inode.c @@ -287,6 +287,11 @@ int squashfs_read_inode(struct inode *inode, long long ino) inode->i_mode |= S_IFLNK; squashfs_i(inode)->start = block; squashfs_i(inode)->offset = offset; + if ((int)inode->i_size < 0 || inode->i_size > PAGE_SIZE) { + ERROR("Wrong i_size %d!\n", inode->i_size); + return -EINVAL; + } + if (type == SQUASHFS_LSYMLINK_TYPE) { __le32 xattr;
syzbot report KMSAN: uninit-value in pick_link, the root cause is that squashfs_symlink_read_folio did not check the length, resulting in folio not being initialized and did not return the corresponding error code. The length is calculated from i_size, so it is necessary to add a check when i_size is initialized to confirm that its value is correct, otherwise an error -EINVAL will be returned. Strictly, the check only applies to the symlink type. Add larger symlink check. Reported-and-tested-by: syzbot+24ac24ff58dc5b0d26b9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=24ac24ff58dc5b0d26b9 Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com> --- fs/squashfs/inode.c | 5 +++++ 1 file changed, 5 insertions(+)