aboutsummaryrefslogtreecommitdiffstats
path: root/fs/squashfs/fragment.c (follow)
AgeCommit message (Collapse)AuthorFilesLines
2018-08-02squashfs: more metadata hardeningLinus Torvalds1-4/+9
The squashfs fragment reading code doesn't actually verify that the fragment is inside the fragment table. The end result _is_ verified to be inside the image when actually reading the fragment data, but before that is done, we may end up taking a page fault because the fragment table itself might not even exist. Another report from Anatoly and his endless squashfs image fuzzing. Reported-by: Анатолий Тросиненко <anatoly.trosinenko@gmail.com> Acked-by:: Phillip Lougher <phillip.lougher@gmail.com>, Cc: Willy Tarreau <w@1wt.eu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2018-07-29squashfs: be more careful about metadata corruptionLinus Torvalds1-3/+1
Anatoly Trosinenko reports that a corrupted squashfs image can cause a kernel oops. It turns out that squashfs can end up being confused about negative fragment lengths. The regular squashfs_read_data() does check for negative lengths, but squashfs_read_metadata() did not, and the fragment size code just blindly trusted the on-disk value. Fix both the fragment parsing and the metadata reading code. Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Phillip Lougher <phillip@squashfs.org.uk> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-05-29Squashfs: Fix sanity check patches on big-endian systemsPhillip Lougher1-1/+1
le64 values should be swapped when accessing on big-endian systems. Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
2011-05-26Squashfs: update email addressPhillip Lougher1-1/+1
My existing email address may stop working in a month or two, so update email to one that will continue working. Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
2011-05-25Squashfs: add sanity checks to fragment reading at mount timePhillip Lougher1-2/+22
Fsfuzzer generates corrupted filesystems which throw a warn_on in kmalloc. One of these is due to a corrupted superblock fragments field. Fix this by checking that the number of bytes to be read (and allocated) does not extend into the next filesystem structure. Also add a couple of other sanity checks of the mount-time fragment table structures. Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
2011-05-25Squashfs: move table allocation into squashfs_read_table()Phillip Lougher1-18/+1
This eliminates a lot of duplicate code. Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
2011-01-13Squashfs: move squashfs_i() definition from squashfs.hPhillip Lougher1-1/+0
Move squashfs_i() definition out of squashfs.h, this eliminates the need to #include squashfs_fs_i.h from numerous files. Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
2010-01-20Squashfs: factor out remaining zlib dependencies into separate wrapper filePhillip Lougher1-1/+0
Move zlib buffer init/destroy code into separate wrapper file. Also make zlib z_stream field a void * removing the need to include zlib.h for most files. Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
2009-01-05Squashfs: fragment block operationsPhillip Lougher1-0/+98
Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.