Commit c1b20283 authored by Sean Nyekjaer's avatar Sean Nyekjaer Committed by Linus Torvalds
Browse files

squashfs: fix inode lookup sanity checks 

When mouting a squashfs image created without inode compression it fails
with: "unable to read inode lookup table"

It turns out that the BLOCK_OFFSET is missing when checking the
SQUASHFS_METADATA_SIZE agaist the actual size.

Link: https://lkml.kernel.org/r/20210226092903.1473545-1-sean@geanix.com


Fixes: eabac19e ("squashfs: add more sanity checks in inode lookup")
Signed-off-by: default avatarSean Nyekjaer <sean@geanix.com>
Acked-by: default avatarPhillip Lougher <phillip@squashfs.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 6d679578

fs/squashfs/export.c

+6 −2
Original line number Diff line number Diff line
@@ -152,14 +152,18 @@ __le64 *squashfs_read_inode_lookup_table(struct super_block *sb, 
		start = le64_to_cpu(table[n]);

		end = le64_to_cpu(table[n + 1]);



		if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) {

		if (start >= end

		    || (end - start) >

		    (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) {

			kfree(table);

			return ERR_PTR(-EINVAL);

		}

	}



	start = le64_to_cpu(table[indexes - 1]);

	if (start >= lookup_table_start || (lookup_table_start - start) > SQUASHFS_METADATA_SIZE) {

	if (start >= lookup_table_start ||

	    (lookup_table_start - start) >

	    (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) {

		kfree(table);

		return ERR_PTR(-EINVAL);

	}

fs/squashfs/squashfs_fs.h

+1 −0
Original line number Diff line number Diff line
@@ -17,6 +17,7 @@ 


/* size of metadata (inode and directory) blocks */

#define SQUASHFS_METADATA_SIZE		8192

#define SQUASHFS_BLOCK_OFFSET		2



/* default size of block device I/O */

#ifdef CONFIG_SQUASHFS_4K_DEVBLK_SIZE