03 Aug, 2018

1 commit

• 71755ee53   squashfs: more metadata hardening ... Browse Code »

  The squashfs fragment reading code doesn't actually verify that the
  fragment is inside the fragment table. The end result _is_ verified to
  be inside the image when actually reading the fragment data, but before
  that is done, we may end up taking a page fault because the fragment
  table itself might not even exist.

  Another report from Anatoly and his endless squashfs image fuzzing.

  Reported-by: Анатолий Тросиненко
  Acked-by:: Phillip Lougher ,
  Cc: Willy Tarreau
  Signed-off-by: Linus Torvalds

  Linus Torvalds

  2018-08-03 00:32:23 +0800  

30 Jul, 2018

1 commit

• 01cfb7937   squashfs: be more careful about metadata corruption ... Browse Code »

  Anatoly Trosinenko reports that a corrupted squashfs image can cause a
  kernel oops. It turns out that squashfs can end up being confused about
  negative fragment lengths.

  The regular squashfs_read_data() does check for negative lengths, but
  squashfs_read_metadata() did not, and the fragment size code just
  blindly trusted the on-disk value. Fix both the fragment parsing and
  the metadata reading code.

  Reported-by: Anatoly Trosinenko
  Cc: Al Viro
  Cc: Phillip Lougher
  Cc: stable@kernel.org
  Signed-off-by: Linus Torvalds

  Linus Torvalds

  2018-07-30 03:44:46 +0800  

29 May, 2011

1 commit

• d5b72ce15   Squashfs: Fix sanity check patches on big-endian systems ... Browse Code »

  le64 values should be swapped when accessing on
  big-endian systems.

  Signed-off-by: Phillip Lougher

  Phillip Lougher

  2011-05-29 17:03:09 +0800  

26 May, 2011

3 commits

• d7f2ff671   Squashfs: update email address ... Browse Code »

  My existing email address may stop working in a month or two, so update
  email to one that will continue working.

  Signed-off-by: Phillip Lougher

  Phillip Lougher

  2011-05-26 17:49:11 +0800  
• 1cac63cc9   Squashfs: add sanity checks to fragment reading at mount time ... Browse Code »

  Fsfuzzer generates corrupted filesystems which throw a warn_on in
  kmalloc. One of these is due to a corrupted superblock fragments field.
  Fix this by checking that the number of bytes to be read (and allocated)
  does not extend into the next filesystem structure.

  Also add a couple of other sanity checks of the mount-time fragment table
  structures.

  Signed-off-by: Phillip Lougher

  Phillip Lougher

  2011-05-26 01:21:33 +0800  
• 82de647e1   Squashfs: move table allocation into squashfs_read_table() ... Browse Code »

  This eliminates a lot of duplicate code.

  Signed-off-by: Phillip Lougher

  Phillip Lougher

  2011-05-26 01:21:31 +0800  

14 Jan, 2011

1 commit

• 8fcd97216   Squashfs: move squashfs_i() definition from squashfs.h ... Browse Code »

  Move squashfs_i() definition out of squashfs.h, this eliminates
  the need to #include squashfs_fs_i.h from numerous files.

  Signed-off-by: Phillip Lougher

  Phillip Lougher

  2011-01-14 05:24:15 +0800  

21 Jan, 2010

1 commit

• f1a40359f   Squashfs: factor out remaining zlib dependencies into separate wrapper file ... Browse Code »

  Move zlib buffer init/destroy code into separate wrapper file. Also
  make zlib z_stream field a void * removing the need to include zlib.h
  for most files.

  Signed-off-by: Phillip Lougher

  Phillip Lougher

  2010-01-21 05:47:47 +0800  

05 Jan, 2009

1 commit

• 122edd151   Squashfs: fragment block operations ... Browse Code »

  Signed-off-by: Phillip Lougher

  Phillip Lougher

  2009-01-05 16:46:25 +0800