[Kernel,Bug] BUG: unable to handle kernel paging request in squashfs_cache_delete

Commit Message

Zhiyu Zhang March 4, 2025, 7:50 a.m. UTC

Dear Developers and Maintainers,

We would like to report a Linux kernel bug titled "BUG: unable to
handle kernel paging request in squashfs_cache_delete" on
Linux-6.14-rc2, we also reproduce the PoC on the latest 6.14-rc5. Here
are the relevant attachments:

kernel config: https://drive.google.com/file/d/1s4fpvYKGRUbOcQsv5XZpzU1SVBvqKDZv/view?usp=sharing
report: https://drive.google.com/file/d/1nnlAc-_09lCZIL9gSh4llW5jgFIQ2jfO/view?usp=sharing
syz reproducer:
https://drive.google.com/file/d/13M44vrewnPesGubj5JspZdpnmsPgrFdG/view?usp=sharing
C reproducer: https://drive.google.com/file/d/11JZv7wQ7OInDdId6625EyfFw2jSs4UJc/view?usp=sharing


I assume this vulnerability may be caused by the missing check for
error pointer *cache in fs/squashfs/cache.c:squashfs_cache_delete.
When the kernel fail to mount a squashfs (e.g., out of memory), the
fs/squashfs/super.c:317:squashfs_cache_init will return an error
pointer (e.g., -ENOMEM) and goto failed_mount. However,
squashfs_cache_delete only checks if cache is NULL, resulting further
deference of invalid cache->entries and cache->pages and crash the
kernel.

error. However, I am not sure if my analysis and patch are
appropriate. Could you check this issue. With the verification, I
would like to submit a patch.

Wish you a nice day!

Best,
Zhiyu

Comments

Phillip Lougher March 6, 2025, 6:25 a.m. UTC | #1

On 04/03/2025 07:50, Zhiyu Zhang wrote:
> Dear Developers and Maintainers,
> 
> We would like to report a Linux kernel bug titled "BUG: unable to
> handle kernel paging request in squashfs_cache_delete" on
> Linux-6.14-rc2, we also reproduce the PoC on the latest 6.14-rc5. Here
> are the relevant attachments:
> 
> kernel config: https://drive.google.com/file/d/1s4fpvYKGRUbOcQsv5XZpzU1SVBvqKDZv/view?usp=sharing
> report: https://drive.google.com/file/d/1nnlAc-_09lCZIL9gSh4llW5jgFIQ2jfO/view?usp=sharing
> syz reproducer:
> https://drive.google.com/file/d/13M44vrewnPesGubj5JspZdpnmsPgrFdG/view?usp=sharing
> C reproducer: https://drive.google.com/file/d/11JZv7wQ7OInDdId6625EyfFw2jSs4UJc/view?usp=sharing
> 
> 
> I assume this vulnerability may be caused by the missing check for
> error pointer *cache in fs/squashfs/cache.c:squashfs_cache_delete.
> When the kernel fail to mount a squashfs (e.g., out of memory), the
> fs/squashfs/super.c:317:squashfs_cache_init will return an error
> pointer (e.g., -ENOMEM) and goto failed_mount. However,
> squashfs_cache_delete only checks if cache is NULL, resulting further
> deference of invalid cache->entries and cache->pages and crash the
> kernel.
> 
> --- fs/squashfs/cache.c
> +++ fs/squashfs/cache.c
> @@ -198,6 +198,8 @@
>   {
>          int i, j;
> +        cache = IS_ERR(cache) ? NULL : cache;
> +
>          if (cache == NULL)
>                  return;
> 
> I tried the patch above, which can avoid kernel panic after SQUASHFS
> error. However, I am not sure if my analysis and patch are
> appropriate. Could you check this issue. With the verification, I
> would like to submit a patch.
> 
> Wish you a nice day!
> 

My mistake.  Please submit a patch.

I would suggest a better fix would be to alter the if (cache == NULL) check to become

if (IS_ERR(cache) || cache == NULL)
	return;

Also please add the following line which identifies the patch that
introduced the error.

Fixes: 49ff29240ebb ("squashfs: make squashfs_cache_init() return ERR_PTR(-ENOMEM)")

Thanks

Phillip

Patch

--- fs/squashfs/cache.c
+++ fs/squashfs/cache.c
@@ -198,6 +198,8 @@ 
 {
        int i, j;
+        cache = IS_ERR(cache) ? NULL : cache;
+
        if (cache == NULL)
                return;

I tried the patch above, which can avoid kernel panic after SQUASHFS