summaryrefslogtreecommitdiffstats
path: root/crypto/cast6_generic.c
diff options
context:
space:
mode:
authorPhillip Lougher <phillip@squashfs.org.uk>2021-02-09 13:41:53 -0800
committerLinus Torvalds <torvalds@linux-foundation.org>2021-02-09 17:26:44 -0800
commitf37aa4c7366e23f91b81d00bafd6a7ab54e4a381 (patch)
tree53aadb0ec27a249dca24aa315e945d1c82ca671e /crypto/cast6_generic.c
parente812cbbbbbb15adbbbee176baa1e8bda53059bf0 (diff)
downloadlinux-f37aa4c7366e23f91b81d00bafd6a7ab54e4a381.tar.bz2
squashfs: add more sanity checks in id lookup
Sysbot has reported a number of "slab-out-of-bounds reads" and "use-after-free read" errors which has been identified as being caused by a corrupted index value read from the inode. This could be because the metadata block is uncompressed, or because the "compression" bit has been corrupted (turning a compressed block into an uncompressed block). This patch adds additional sanity checks to detect this, and the following corruption. 1. It checks against corruption of the ids count. This can either lead to a larger table to be read, or a smaller than expected table to be read. In the case of a too large ids count, this would often have been trapped by the existing sanity checks, but this patch introduces a more exact check, which can identify too small values. 2. It checks the contents of the index table for corruption. Link: https://lkml.kernel.org/r/20210204130249.4495-3-phillip@squashfs.org.uk Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk> Reported-by: syzbot+b06d57ba83f604522af2@syzkaller.appspotmail.com Reported-by: syzbot+c021ba012da41ee9807c@syzkaller.appspotmail.com Reported-by: syzbot+5024636e8b5fd19f0f19@syzkaller.appspotmail.com Reported-by: syzbot+bcbc661df46657d0fa4f@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'crypto/cast6_generic.c')
0 files changed, 0 insertions, 0 deletions